SSL certificate - conflicting expiry dates

randmin

4/2/23, 2:16 PM

I am experiencing a weired issue regarding a letsencrypt SSL certificate on my postfix mail server.

According to certbot: "The following certs are not due for renewal yet: /etc/letsencrypt/live//fullchain.pem expires on 2022-01-31 (skipped)" (If i run certbot renew --dry-run, however, "[...] all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live//fullchain.pem (success)")

However, if I try to connect via IMAP (using thunderbird), I get a warning and the certificate shows a validity of "Not After 12/2/2021".

This is a difference of almost 2 month. I double checked that it is indeed the same certificate (dovecot and postfix both include the very same path printed out by certbot).

I guess I could forcefully renew the cert, but I'd rather understand the base issue here, to prevent another "invalid certificate" warning in the future.

Feels like I am overseeing something obvious as this is unlikely to be some kind of bug. If you need more information, tell me. Any tiny little hint is very welcome!

Happy codin'

162

0 + 0

ssl

postfix

dovecot

lets-encrypt

Gerald Schneider

4/2/23, 2:27 PM

Restart your imapd. It hasn't loaded the new certificate after the last renewal.

Bob

4/2/23, 2:27 PM

Most likely: your imap server (dovecot) wasn't restarted after the certificate got renewed...

randmin

4/2/23, 2:45 PM

Indeed that was the problem. Thank you both. I will not delete the question, however, because the problem description of the thread you supply is not very intuitive if you do not link the issue to a renewal that happened some month ago :)

Score:0

Server

randmin

4/2/23, 2:49 PM

I had to restart the IMAP service. In my case:

sudo systemctl restart dovecot

Apparently, I forgot to restart the service the last time the certificate was renewed. This was particularly tricky to find, because I did not renew the certificate lately and thus did not link this issue to an earlier renewal at all.

Thanks to Gerald Schneider and Bob for the fast comments that helped me find this.

0 + 0

Gerald Schneider

4/2/23, 2:52 PM

Just add the deploy hook to your renewal cron job, as shown in the linked answer, to prevent this from happening again.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SSL certificate - conflicting expiry dates

TH: ใบรับรอง SSL - วันหมดอายุที่ขัดแย้งกัน

RO: Certificat SSL - date de expirare conflictuale

RU: SSL-сертификат — конфликтующие даты истечения срока действия

VI: Chứng chỉ SSL - ngày hết hạn xung đột

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.