Topic: SSL_Accept error after certificate renewal
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 2.5
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: Ubuntu 20.04.2 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Initial error message:
postfix/submission/smtpd[7786]: connect from redacted.fqdn.com[0.0.0.0]
postfix/submission/smtpd[7786]: SSL_accept error from redacted.fqdn.com[0.0.0.0]: -1
postfix/submission/smtpd[7786]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
postfix/submission/smtpd[7786]: lost connection after STARTTLS from redacted.fqdn.com[0.0.0.0]
postfix/submission/smtpd[7786]: disconnect from redacted.fqdn.com[0.0.0.0] ehlo=1 starttls=0/1 commands=1/2
Backstory:
On this server we had two domains.
"domain.com"
"example.com"
domain.com does not exist anymore, however the lets encrypt certificate needed to be renewed.
So when i tried to renew the certificate for example.com it failed because it could not renew domain.com. So i removed domain.com from the lets encrypt certificate list and renewed example.com, and followed the instructions from docs[dot]iredmail[dot]org/letsencrypt to apply the symlinks and everything.
I checked that all services started and everything seemed to work.
Then a while after some colleagues reached out stating that older printers could no longer scan to email, and after checking the postfix logs while trying to scan to email i get the error mentioned above.
Some printers we fixed by using TLS 1.3 instead of 1.2, however i can see in the logs some newer machines using TLS 1.2 without an issue.
So my thought was that the old domain.com was the root issue, so i've spent some time cleaning the server from every mention of domain.com, however that did not resolve my issue.
And the main issue is that we've got some machines that we cannot use higher encryptions.
So the question is, why did this come up so sudden? Have lets encrypt started using higher ciphers or something?
I'm at my wits end, i've messed around with the server today, but cannot find a solution.
Any help would be much appreciated!
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.