1 (edited by Jochen 2021-10-04 16:47:48)

Topic: Problem with Let's encrypt intermediate cert expired

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.2.1
- Deployed with iRedMail Easy or the downloadable installer? dl
- Linux/BSD distribution name and version: debian 10.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): nginx
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

on 29th resp. 30th of September Let's encrypt intermediate certificate R3 (and also X1 or so root) expired. I am having issues with iOS devices and Mac clients complaining about untrusted cert. On the detail pane on the Macs I see that the R3 intermediate is expired. OS on the clients is up2date. On the server I regenerated the cert and rebooted the machine, still no change.
The problem does not occur on the web interface using the same cert.

From the dovecot.conf I don't see the server is offering the intermediate at all...

ssl_cert = </etc/letsencrypt/live/<host>/cert.pem
ssl_key = </etc/letsencrypt/live/<host>/privkey.pem

While nginx effectively does...

from ssl.tmpl:

ssl_certificate /etc/ssl/certs/iRedMail.crt;
ssl_certificate_key /etc/ssl/private/iRedMail.key;

where /etc/ssl/certs/iRedMail.crt is pointing to /etc/letsencrypt/live/<host>/fullchain.pem

Any idea how to fix this? The Internet is full of IIS and other web solutions, but I did not yet find anything relating to mail servers

Thanks in advance

Jochen

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Problem with Let's encrypt intermediate cert expired

Jochen wrote:

From the dovecot.conf I don't see the server is offering the intermediate at all...

ssl_cert = </etc/letsencrypt/live/<host>/cert.pem
ssl_key = </etc/letsencrypt/live/<host>/privkey.pem

I was able to fix this by changing the dovecot.conf to

ssl_cert = </etc/letsencrypt/live/<host>/fullchain.pem