What is the issue happened yesterday regarding certificate expiry


We are using lets encrypot for the SSL certificate. Today morning we get the not secured error almost every where. But in windows 10 chrome and in firefox its running fine. So what it do now ?

Do we need to do something on client PC or in server. Also our server is Ubuntu 16 with Vesta panel installed.

1 Like

I am facing the same issue all of my users reporting the same problem, a quick fix by the team appreciated this is happening after the recent google chrome browser update

Please read this first:

If you have any special questions then, feel free to ask.


And welcome to the LE community forum :slight_smile:

Actually the SSL certificate used for the domain for sending mail as well. And my server is Ubuntu 16. So it says certificate expires

So we can check further, which FQDN are those?
Also, what version of openssl is on your Ubuntu 16?
And what O/S, browsers, and mail clients are showing this certificate expiry problem?

FQDN - mail.saramails.com
Screenshot by Lightshot
Actually its our own SMTP for mail server. In nodemailer we use its credentials to send mail and it throws error of certificate expired

Well that was useless!
The Lightshot site showed me nothing - even after having to captcha through it twice.

Is the mail server also used via HTTPS (like for webmail)?

Website looks good:

openssl s_client -connect mail.saramails.com:443 -servername mail.saramails.com
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.saramails.com
verify return:1
Certificate chain
 0 s:CN = mail.saramails.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

Port 25 looks good:

openssl s_client -connect mail.saramails.com:25 -starttls smtp
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
Certificate chain
 0 s:/CN=mail.saramails.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Installed: 1.0.2g-1ubuntu4.15
Candidate: 1.0.2g-1ubuntu4.15
Version table:
*** 1.0.2g-1ubuntu4.15 500
500 Index of /ubuntu/ xenial-updates/main amd64 Packages
500 Index of /ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
1.0.2g-1ubuntu4 500
500 Index of /ubuntu/ xenial/main amd64 Packages

The mail clients are mobile app and a custom mail client like webmail

OpenSSL may need to be patched if it can't be upgraded,
See: Old Let’s Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog

Ok will check. Thanks for the information hope it helps.

Here what is patched in particular ? Because in production server its difficult to update

port 465 and 587 don't seem to be secured via TLS?
Where those secure before?

ports 993 and 995 are having some other trouble (possibly just blocked by firewall rule):

openssl s_client -connect mail.saramails.com:993
139914167185856:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139914167185856:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:

openssl s_client -connect mail.saramails.com:995
139997128352192:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139997128352192:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:

Did those ever work?

It is not a long read.
The underlying GnuTLS libraries and mainly the trusted root store.

yes port 465 and 587 doesn't secured by TLS. We send it through by making secure false option

If I may ask, Why (when you have a cert and can secure it)?

haha...its a long story. Developer did some wrong interpretation about this.

1 Like

We are using Haraka (https://haraka.github.io/) as SMTP

and for TLS we use tls - Haraka SMTP Email Server

What is fullchain.pem in letsencrypt ?

It's a file that contains the end-leaf cert and any necessary intermediates to completely tie the chain to a trusted root.
[in an easy to use .pem format - the way most software likes it]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.