I renewed all certbot certificates today.
And now, my TLS'ed dovecot works fine.
But postfix fails to do the STARTTLS dance.
Thunderbird is showing this error message when I try to send an email (translated from German): unrecognized certificate issuer
Both services are using the same certificate /etc/letsencrypt/live/server.domain.org.pem
In /etc/letsencrypt/live/server.domain.org.pem, I see these renewed certificates:
fullchain36.pem
chain36.pem
cert36.pem
What can I do to debug this mess?
Well, had you provided your domain name we could do some of that for you
But you might try the postmap command from here:
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it (and make our life a lot harder). In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
My domain is:
tuxfriends.net
I ran this command:
certbot renew --force-renewal
It produced this output:
This is hours ago, I forgot it. But there was no error message.
My web server is (include version):
N/A
This is about SMTP and IMAP
The operating system my web server runs on is (include version):
Debian 13.4
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
4.0.0
I renewed all certbot certificates today.
And now, my TLS'ed dovecot works fine.
But postfix fails to do the STARTTLS dance.
Thunderbird is showing this error message when I try to send an email (translated from German): unrecognized certificate issuer
Both services are using the same certificate /etc/letsencrypt/live/server.domain.org.pem
In /etc/letsencrypt/live/server.domain.org.pem, I see these renewed certificates:
fullchain36.pem
chain36.pem
cert36.pem
What can I do to debug this mess?
I created another question with all needed information.
See
I see an IMAP server running on your MX host binky.tuxfriends.net, which has an OK chain (EE cert + its issuer R13),
but the SMTP server provides only the EE certificate, no intermediate. Your Postfix config should also point to fullchain36.pem, instead of cert36.pem.
Thank you! Now it works.