1

Topic: Expiring Lets Encrypt R3 Certificate

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):     2021090801
- Deployed with iRedMail Easy or the downloadable installer? Easy
- Linux/BSD distribution name and version: Ubuntu 18.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes 4.9 MySQL
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

We have checked our Lets Encrypt certificate and it has valid dates 24/09/21 until 23/12/21 but it seems that the R3 certificate is expiring worldwide today, which seems to be causing an issue.  Mac Mail is putting up the message Certificate Invalid, and you can click on the Continue button and it seems to be working ok.

But on iOS 14 and iOS 15 and even 15.1 beta it is failing, as the message does not have the option to Continue.  It says : Cannot Verify Server Identity and it only has Details or Cancel and neither of these options allow the client to receive mail.

Does anyone know how to resolve this issue with the expiring R3 certificate.  Do we need to find another certificate provider, or get a new Lets Encrypt certificate or something else?

Would appreciate help with this as a lot of our users are on iOS.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by cvcvelo 2021-09-30 09:21:14)

Re: Expiring Lets Encrypt R3 Certificate

I hit this same issue today with a database server running FreeBSD.

It's a server config issue. There are multiple versions of the R3 intermediate CA. It sounds as though you're pointing at the expired one issued by DST rather than the valid one issued by Let's Encrypt, which expires in 2025.

The fix is for your webserver's TLS configuration to point to the fullchain.pem cert, not the cert.pem file. Then it will find a valid R3 CA.

On my iRedMail box I didn't need to change anything. On a Debian 10 box, the file /etc/nginx/templates/ssl.tmpl points has this line:

ssl_certificate /etc/ssl/certs/iRedMail.crt;

which in turn symlinks to:

/etc/letsencrypt/live/<hostname>/fullchain.pem

Pointing to fullchain.pem, either directly or better yet with a symlink, and restarting your web server should clear the issue.

Hope this helps.

3

Re: Expiring Lets Encrypt R3 Certificate

Thanks a lot for your reply and I have checked the files you suggested.

We are using Ubuntu 18.04LTS and I found the file:
/etc/nginx/templates/ssl.tmpl

In this file is a note that this file is managed by iRedMail team with Ansible and that line reads as:
ssl_certificate /opt/iredmail/ssl/combined.pem

I've checked this file and it is pointing to:
/etc/letsencrypt/live/<hostname>/fullchain.pem

So it does appear to be correct.

When you click on the certificate details in a browser it is showing as an R3 certificate as per the attached screenshot.

If you can assist further it would be greatly appreciated.

Thanks a lot


cvcvelo wrote:

I hit this same issue today with a database server running FreeBSD.

It's a server config issue. There are multiple versions of the R3 intermediate CA. It sounds as though you're pointing at the expired one issued by DST rather than the valid one issued by Let's Encrypt, which expires in 2025.

The fix is for your webserver's TLS configuration to point to the fullchain.pem cert, not the cert.pem file. Then it will find a valid R3 CA.

On my iRedMail box I didn't need to change anything. On a Debian 10 box, the file /etc/nginx/templates/ssl.tmpl points has this line:

ssl_certificate /etc/ssl/certs/iRedMail.crt;

which in turn symlinks to:

/etc/letsencrypt/live/<hostname>/fullchain.pem

Pointing to fullchain.pem, either directly or better yet with a symlink, and restarting your web server should clear the issue.

Hope this helps.

Post's attachments

Screen Shot 2021-09-30 at 4.04.00 PM.png
Screen Shot 2021-09-30 at 4.04.00 PM.png 112.78 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

4 (edited by cvcvelo 2021-09-30 20:05:37)

Re: Expiring Lets Encrypt R3 Certificate

Sorry, I don't have a lot of other ideas. I've never run iRedMail on Ubuntu, and the only Ubuntu box I have available at the moment runs Apache.

The only other suggestions I have are

- check if the fullchain.pem cert is not itself symlinked somewhere else, for example to /etc/letsencrypt/archive/<hostname>. Somewhere there's a valid link missing.

- if you run any other vhosts in nginx, outside of iRedMail, follow their cert paths on your server. It might even be worth setting up one vhost and getting a working Let's Encrypt cert for it just to compare a known good setup with what you've got. You can use the command 'openssl x509 -noout -text -in <certname.pem> | more' to read a cert and see its issuer, expiration date, etc.

Sorry I couldn't help more. Good luck with this.

5

Re: Expiring Lets Encrypt R3 Certificate

You were absolutely correct and it seems that the link
/opt/iredmail/ssl/cert.pem -> /etc/letsencrypt/live/<domain>/cert.pem
instead of -> /etc/letsencrypt/live/<domain>/fullchain.pem

Have fixed that link and is now working - thanks a lot for pointing me in the right direction.  Not sure why it surfaced just now, but glad it is working again.

Thanks


cvcvelo wrote:

Sorry, I don't have a lot of other ideas. I've never run iRedMail on Ubuntu, and the only Ubuntu box I have available at the moment runs Apache.

The only other suggestions I have are

- check if the fullchain.pem cert is not itself symlinked somewhere else, for example to /etc/letsencrypt/archive/<hostname>. Somewhere there's a valid link missing.

- if you run any other vhosts in nginx, outside of iRedMail, follow their cert paths on your server. It might even be worth setting up one vhost and getting a working Let's Encrypt cert for it just to compare a known good setup with what you've got. You can use the command 'openssl x509 -noout -text -in <certname.pem> | more' to dump a cert and see its issuer, expiration date, etc.

Sorry I couldn't help more. Good luck with this.

6

Re: Expiring Lets Encrypt R3 Certificate

Stephen77 wrote:

You were absolutely correct and it seems that the link
/opt/iredmail/ssl/cert.pem -> /etc/letsencrypt/live/<domain>/cert.pem
instead of -> /etc/letsencrypt/live/<domain>/fullchain.pem

Have fixed that link and is now working - thanks a lot for pointing me in the right direction.  Not sure why it surfaced just now, but glad it is working again.

Thanks

Excellent — glad to hear it’s working again.

The reason it came up just now is because your previous cert’s chain of trust included a DST-issued R3 intermediate cert that happened to expire yesterday. Now that you’re pointing to the L3-issued version of the R3 cert, you should be good to go.