Email server configuration still complaining the connection isn't secure

Question

This is a follow up to another question I had, but its quite different so I thought I'd start a new post.

Emails bouncing - 454 TLS not available due to temporary reason

I'm trying to work out why I still get this error message when adding an email account (in this case, in Thunderbird - but I also get the problem on phones as well);

The weird thing is that if I check it on SSL-Tools.net, it looks fine:

https://ssl-tools.net/mailservers/wkingbrickwork.co.uk

I really don't get it - as Thunderbird shows me my certificate is expired here:

Am I missing something? Please let me know if you need any more information to help me debug. I'm not sure what would be helpful.

Most probably you are missing the DST Root CA X3 certificate in Thunderbird. If you click on 'Get Certificate' and inspect it Thunderbird should show you why it deems the certificate invalid. — Gerald Schneider, Aug 16 '17 at 09:00
@GeraldSchneider - thanks. This is an up-to-date version so should be fine for the root cert. The more confusing part is that I've just seen that MY certificate shows as expired on the 9th of Aug (see updated). Yet when I look at it here: https://admin.newbyhost.com/ , it shows as expiring on the 8th of October! Does the mail stuff look up the certificate in a different way? (and how can I test this) — Andrew Newby, Aug 16 '17 at 09:03
It's possible that the mailserver is configured to use a different certificate file than the webserver. Or the mailserver hasn't been restarted after the cert file was renewed and is still using the old certificate from cache. — Gerald Schneider, Aug 16 '17 at 09:05
Looking at the [details of your cert on ssl-tools.net](https://ssl-tools.net/subjects/50fa1188045e63fa033e1115536b2be05cd484f5#15d2772491) it seems that your mailserver is providing two certificates ... the valid and the invalid one. It should only provide the newer certificate. — Gerald Schneider, Aug 16 '17 at 09:15
@GeraldSchneider interesting. I just rebooted the server, and it does seem to have gone away with that message. I'm not sure why though, as I'm rebooting `exim4` and `vesta` (the control system). With regards to the duplicate certs - do you still see that? — Andrew Newby, Aug 16 '17 at 09:19
Klick on the link and see for yourself. ssl-tools still lists two certs. It is however not clear if these are current certs or if they just show all certs they've seen before. If the problem vanished after a restart I'd assume that the mail service hadn't been restarted after the last certificate refresh. — Gerald Schneider, Aug 16 '17 at 09:23
@GeraldSchneider - ah ok. Well it does all seem ok now, but I'm just waiting on confirmation to see if its OK on the iPhone as well now(Thunderbird seems ok). Thanks for your help! Can't believe I didn't try a reboot! (I now just need to see why the `restart` in the cron script isn't actually reloading the certificate related side of things as well) — Andrew Newby, Aug 16 '17 at 09:24
Can you post the steps which solved the issue as an answer please? — bgtvfr, Aug 16 '17 at 09:41
@bgtvfr - embarrassingly, just rebooting the server :) I just need to work out why it didn't update the certificate on its own after the renewal. Anyway, I can figure that one out. — Andrew Newby, Aug 16 '17 at 09:47
@GeraldSchneider - all good! Working fine on the iPhone as well now, so appears to be fixed. If you could add your answer (about needing to reboot the service), and that seems to have been the problem. Seems silly as an answer, but it could help someone else dumb like me ;) — Andrew Newby, Aug 16 '17 at 09:48

Gerald Schneider · Accepted Answer · 2020-06-15T08:32:10.983

Inspecting the certificate shows that the certificate has expired.

Since the webserver provides a valid certificate, it seems that the mail service hasn't been restarted after the certificate was renewed and is still serving the old certificate.

A restart of the mail service should fix the problem.

To prevent such problems in the future you can use the renew-hook of certbot with a simple shell script.

This is a script I am using:

#!/bin/bash
for domain in $RENEWED_DOMAINS
do
    if [ "$domain" = mail.example.com ]
    then
        systemctl reload dovecot
        systemctl reload postfix
    elif [ "$domain" = intern.example.com ]
    then
        cp /etc/letsencrypt/live/$domain/* /etc/ldap/ssl/
        chown -R openldap:openldap /etc/ldap/ssl/
        chmod 640 /etc/ldap/ssl/*
        systemctl reload slapd
    else
        systemctl reload apache2
    fi
done

The script is provided to certbot with the --renew-hook parameter in the cron job:

/opt/certbot-auto --renew-hook /opt/certbot-renew renew --quiet --no-self-upgrade

Related: what should one do when a self-signed e-mail server certificate is about to expire? — Overmind, Oct 02 '20 at 11:57

Email server configuration still complaining the connection isn't secure

1 Answers1

Linked

Related