Thunderbird reports invalid (expired) certificate, but all browsers work perfectly fine

szolotarev · August 14, 2021, 9:38am

Hello,

I'm trying to set up Thunderbird with my mail server (postfix). I'm using Let's Encrypt for SSL.

The problem is: When Thunderbird conencts, it says that the certificate is invalid, and I'm not sure why, because in all web browser that I've tried I didn't receive any errors regarding the certificate.

I had a similar error with Apple Mail.

My domain is: szolotarev.dev, mail.szolotarev.dev

I ran this command: certbot renew

It produced this output:

root@dev:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.szolotarev.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/szolotarev.dev-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/szolotarev.dev-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/szolotarev.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mail.szolotarev.dev/fullchain.pem expires on 2021-10-03 (skipped)
  /etc/letsencrypt/live/szolotarev.dev-0001/fullchain.pem expires on 2021-09-16 (skipped)
  /etc/letsencrypt/live/szolotarev.dev-0002/fullchain.pem expires on 2021-10-03 (skipped)
  /etc/letsencrypt/live/szolotarev.dev/fullchain.pem expires on 2021-09-16 (skipped)

No renewals were attempted.

My web server is (include version): Apache

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Osiris · August 14, 2021, 10:31am

So the certificates in certbot are fine, but the certificate offered by Courier-IMAP (and NOT Postfix! Postfix is a SMTP server, not an IMAP server, and is using a recent certificate) is expired.

How did you configure Courier-IMAP to use the certificates offered by certbot? I.e., which certificate path is configured in your Courier-IMAPs configuration? And if that's actually pointing to the correct paths in /etc/letsencrypt/, did you reload Courier-IMAP after the renewal was successful so it could load the renewed certificate? Ideally, this would have been done automatically using a --deploy-hook.

szolotarev · August 14, 2021, 10:59am

Thank you @Osiris. It was indeed an issue with the Courier IMAP configuration. It looks like I forgot to update the certificate and key fields in /etc/courier after I renewed the Let's Encrypt certificates for my domains. Do you know if it's possible to use the live Let's Encrypt cert files without copying them over to /etc/courier after renewal? The config file says that the files must be owned by "courier" user

Osiris · August 14, 2021, 11:08am

That latter part might prevent you from directly using the paths in /etc/letsencrypt/ indeed.. Maybe you can put the commands to copy the files and change ownership into a script and call that script from --deploy-hook ?

szolotarev · August 14, 2021, 11:50am

ok, I'll try that

mjw · August 14, 2021, 11:55am

This can be made to work, if you don't mind changing the permissions on files under /etc/letsencrypt.

Despite what the comments in the configuration file say, courier-imap (at least as of 5.0.6) doesn't require the private key to be owned by the courier user.
It does require the file to be readable when running as that user.

Nor does it require the private key file itself to lack world-readable permissions (possibly it checks whether the file is effectively world-readable, taking the permissions of parent directories into account).

So, for example, it should be enough to make /etc/letsencrypt/archive readable to a group that courier is in, and make the private key file world-readable.

system · September 13, 2021, 11:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.