0
I have an email server where I have Let's Encrypt SSL certs, expiring every 3 months, and certbot automatically renews it. If I access the server through a website in the browser, the correct and newest SSL certificate is used, but thunderbird complains that the SSL certificate is not valid, by that it has expired.
The complaint is displayed through a dialog window, and if I click to view the certificate through this window, it shows an old certificate that has indeed expired. However, if I click the button "Get certificate", that button itself grays out, but nothing else happens. I tried right-clicking the name of the e-mail address (account) in thunderbird, and going to Settings -> Security and deleted all the certificates for the domain, but somehow still it has the old stored certificate stored.
My setup is dovecot + postfix.
Any ideas?
Thanks sir for the thoughts, I've now verified that both of these services indeed point to the same ssl files as the one for my https website, which are links pointing into the /etc/letsencrypt/archive, and then pointing to the renewed certificate files from a few days ago. I restarted the services for both and now Thunderbird sees a new certificate, with the new dates, but TB still won't accept it, saying that the cert is invalid! Is it possible the default certbot renew is too barebone to be accepted for mail? – simernes – 2019-10-21T19:08:26.863
1@simernes: Thunderbird usually provides details of why it thinks the certificate is invalid. Typical problems if you reuse the same certificate for web and mail are that you might use different hostnames, i.e. www.example.com vs. mail.example.com. And if the certificate is only valid for the first it will fail when used for mail. – Steffen Ullrich – 2019-10-21T19:27:15.193
Thunderbird is telling me that the error stems from "Wrong site: The certificate belongs to a different site, which could mean that someone is trying to impersonate the site". Could that be because I have several domains on the same certificate? – simernes – 2019-10-23T19:15:20.027
1@simernes: That's exactly what I'm saying. You have a certificate which fits the name of your web server (i.e. www.example.com) but not your mail server (i.e. mail.example.com). – Steffen Ullrich – 2019-10-23T19:51:24.057