Trouble with expiration

captcurrent · July 13, 2022, 12:36am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kasdivi.com

I ran this command:
I try to access my mail and apple mail says the certificate has expired on 7/08/2022

i run sudo certbot renew

It produced this output:

Processing /usr/local/etc/letsencrypt/renewal/kasdivi.com.conf

Cert not yet due for renewal

The following certificates are not due for renewal yet:

/usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem expires on 2022-09-09 (skipped)

No renewals were attempted.

My web server is (include version):

apache 2.24.51

The operating system my web server runs on is (include version):
freebsd 13

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.13.0

rg305 · July 13, 2022, 12:40am

Which mail server are you running?
How did you last load the cert into it?

In short: The web server is using the latest cert; But the email service is still using the previous one.
[which expired on July 8]

Rip · July 13, 2022, 3:50am

I'm guessing here. LE updates the certs... 001, 002, etc. The mail server... whatever it is is looking at an outdated cert?

It is important to know which mail server is running. Whatever it is it would be beneficial to script the distribution of the cert(s) so the mail server is always up to date.
My 2 cents

captcurrent · July 13, 2022, 1:21pm

Thanks for the quick responses. I am running Postfix 3.6,3. and Dovecot 2.3.17. I think that the mail service interface with Dovecit

rg305 · July 13, 2022, 2:31pm

Half way there...

captcurrent · July 13, 2022, 2:52pm

Maintain certificate on server with certbot. Specify the resulting certificate (/usr/local/etc/letsencrypt/live/kasdivi.com/fullchain.pem ) in the Dovecot SS Configuration,
I was able to force apple mail to trust the expired Certificate. My experience has been apple and some browsers don't play well with letsemcrypt. Email seem happy again even with what it thinks to be an expired certificate

rg305 · July 13, 2022, 2:54pm

Then you may only need to restart/reload Dovecot.
[after each certificate renewal]

It IS an expired cert being served.

captcurrent · July 13, 2022, 3:20pm

thing was only the Iphone was upset. But I will restart dovecot. That make more sense

captcurrent · July 13, 2022, 3:41pm

Ok I restarted dovecot. The correct certificate shows up. but Apple mail doesn't trust. Like i said Appel doesn't seem to like letsencrypt. Will tinker to see what I can do.. Now definately an Apple Mal Problem

rg305 · July 13, 2022, 3:58pm

Then you might need to switch to chains OR switch to another (free) CA provider.

captcurrent · July 13, 2022, 4:03pm

It is weird No problem with my desktop. Letsencrypt works fine for my website (except with Brave). IN the end issue appears apple iPhone apple mail.. I will probably swap mail apps out first. They make a great OS for desktop and a POS for tablets and phones

rg305 · July 13, 2022, 4:05pm

Also, try using the "short chain".

captcurrent · July 13, 2022, 4:11pm

short chain? Is that attached my phone to a short chain and throw it off a bridge?

captcurrent · July 13, 2022, 4:24pm

ok did the usual apple mail phone fix .. delete the account and add it again . All good not a letsencrypt issue. Thanks again

system · August 12, 2022, 4:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.