Would greatly appreciate easy-to-understand instructions to re-certify an email server


#1

Hi Folks,

Is there anyone who can tell me, step-by-step, how to
renew a Let’s Encrypt certificate for my email server?

My email server, the latest version Postfix – as of
January 2018 – on Unbuntu 16.04, was programmed
to auto-renew the certificate, but that program is
apparently not working correctly. (The programmer
who installed the auto-recertify program is no
longer available.)

I’m not a programmer, so I’d GREATLY APPRECIATE
it if you could tell me, in layman’s terms:

  1. What software (tools) I need to safely verify that
    my certificate is now invalid (I’m past the date the
    certificate needed to be re-certified.)

  2. What I need to do, step-by-step, to re-certify the
    the email server, including what tool(s) I need to
    use.

Here’s other info on the install:

*I use the server for email only – there’s no Web site
*The server is: turquoise.dysartnewsmedia.com
*The programmer used the Linux command line
to program the installation

  • I received an email from Let’s Encrypt that the certification
    expires yesterday, April 4, 2018

Many thanks for any help.

-Joe


#2

Hi @JoeD5243,

Some good news for you, though not for Internet security as a whole: as of today, certificate validity isn’t usually checked for mail servers, very differently from the situation for web servers. If you go to a web site with an invalid certificate, like https://expired.badssl.com/, you’ll normally see an alarming warning message in your web browser. There isn’t yet a widespread equivalent for mail server certificate validity checking, so your current problem isn’t certain to cause you any practical issues right away. Most other e-mail servers will probably be willing to ignore the certificate problem and deliver e-mail to you anyway.

However, it’s still great that you want to get your certificate problem fixed!

The “easy” way is to look at the contents of

https://crt.sh/?Identity=%turquoise.dysartnewsmedia.com

The “official” way is to run

openssl s_client -connect turquoise.dysartnewsmedia.com:25 -starttls smtp -servername turquoise.dysartnewsmedia.com

on the command line of an Internet-connected Unix system.

The distinction between these two is that the former shows what certificates exist for your server, while the latter shows what certificate your server is currently actually using. (In some cases it could be possible that a renewed certificate has successfully been issued, but that a server hasn’t yet been configured to use it.)

Both of these confirm for me that your certificate did indeed expire and that expired certificate is the same certificate that your mail server is still presenting.

The question of how to renew the certificate depends a bit on how it was issued, because there are a number of different tools that can be used to obtain a certificate on the Linux command line. Is it possible to find out more specifically from the programmer what method was used?

You could also see if it was our Certbot software by logging into that server’s command line and running a command like locate certbot.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.