1 (edited by it-456 2021-05-28 23:45:37)

Topic: SSL Certificate Renewal Error

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.13.2
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: Debian 10 Buster
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,

Yesterday (2021-05-27) approx. 3:30pm users began receiving alerts that the email server had a bad SSL certificate, preliminary inspection revealed the server was using certificates dated expiry 2021-05-27 – issue was resolved by rebooting the server, wherein the server started using certs dated expiry 2021-07-26.

Breaking down what went wrong, I’ve been going through the emailed logs to postmaster, this is what I’ve been able to find:

EMAIL 1 – Sent 2021-04-27 11:01pm:

To root@mx.redacted.tld From “Cron Daemon” root@mx.redacted.tld Subject “Cron <root@mx> certbot renew --post-hook ‘service postfix restart; service nginx restart; service dovecot restart’
```
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.t43.digital.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
/etc/letsencrypt/live/mail.t43.digital/fullchain.pem expires on 2021-07-26 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
```

EMAIL 2 – Sent 2021-04-26 11:01pm:

To root@mx.redacted.tld From “Cron Daemon” root@mx.redacted.tld Subject “Cron <root@mx> certbot renew --post-hook ‘service postfix restart; service nginx restart; service dovecot restart’
```
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.t43.digital.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
/etc/letsencrypt/live/mail.t43.digital/fullchain.pem expires on 2021-05-27 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
```

It appears the certificates renewed about a month ago, however, the services where never restarted to actually enable the use of the new certificates, leading us to the current situation, where the certificates have expired in production. Does anyone have suggestions as to what went wrong, and how this can be mitigated in the future? Output of crontab suggests the services should have been restarted:

` 1  3  *  *  *  certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'`

2

Re: SSL Certificate Renewal Error

Please replace command "service" by absolute path like "/sbin/service" (use the real one on your server), this will fix the issue.

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee