Topic: SSL Certificate Renewal Error
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.13.2
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: Debian 10 Buster
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello,
Yesterday (2021-05-27) approx. 3:30pm users began receiving alerts that the email server had a bad SSL certificate, preliminary inspection revealed the server was using certificates dated expiry 2021-05-27 – issue was resolved by rebooting the server, wherein the server started using certs dated expiry 2021-07-26.
Breaking down what went wrong, I’ve been going through the emailed logs to postmaster, this is what I’ve been able to find:
EMAIL 1 – Sent 2021-04-27 11:01pm:
To root@mx.redacted.tld From “Cron Daemon” root@mx.redacted.tld Subject “Cron <root@mx> certbot renew --post-hook ‘service postfix restart; service nginx restart; service dovecot restart’
```
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.t43.digital.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/mail.t43.digital/fullchain.pem expires on 2021-07-26 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
```
EMAIL 2 – Sent 2021-04-26 11:01pm:
To root@mx.redacted.tld From “Cron Daemon” root@mx.redacted.tld Subject “Cron <root@mx> certbot renew --post-hook ‘service postfix restart; service nginx restart; service dovecot restart’
```
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.t43.digital.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
/etc/letsencrypt/live/mail.t43.digital/fullchain.pem expires on 2021-05-27 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
```
It appears the certificates renewed about a month ago, however, the services where never restarted to actually enable the use of the new certificates, leading us to the current situation, where the certificates have expired in production. Does anyone have suggestions as to what went wrong, and how this can be mitigated in the future? Output of crontab suggests the services should have been restarted:
` 1 3 * * * certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'`
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.