I have a Rocky 8.8 postfix/dovecot virtual e-mail server that has been working without a problem for over one year. I am using letsencrypt certificates that are renewed every 3 months. This last week the server is presenting certificates that are out of date and related to the original certificates that were created by letsencrypt. postfix seems to be appropriately using the correct certificates but dovecot is not.
Have any of you had a similar problem? I finally had to direct the users to accept the bad certificate in order to get their e-mail to function.
Here is a copy of my 10-ssl.conf file -
plain imap and pop3 are still allowed for local connections
ssl = required
PEM encoded X.509 SSL/TLS certificate and private key. They’re opened before
dropping root privileges, so keep the key file unreadable by anyone but
root. Included doc/mkcert.sh can be used to easily generate self-signed
certificate, just make sure to update the domains in dovecot-openssl.cnf
removed 05/24/2023 to test certificates
ssl_cert = </etc/letsencrypt/live/post..net/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..net/privkey.pem
local_name post..net {
ssl_cert = </etc/letsencrypt/live/post..net/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..net/privkey.pem
}
local_name post..com {
ssl_cert = </etc/letsencrypt/live/post..com/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..com/privkey.pem
}
local_name post..com {
ssl_cert = </etc/letsencrypt/live/post..com/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..com/privkey.pem
}
local_name post..com {
ssl_cert = </etc/letsencrypt/live/post..com/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..com/privkey.pem
}
ssl_client_ca_dir = /etc/ssl/certs
ssl_cipher_list = PROFILE=SYSTEM
Please note that the first certificate above is teh same as the first local certificate, and when dovecot presents a certificate it presents an outdated certificate of the first local certificate. I have tried changng the addesses of the certificates to use a non linked address in the letsencrypt ‘archive’ sudirectory which did not remedy the problem. I have deleted teh certificates on teh remote machines and tried to accept new certificates but the new ones are still the same. The only thing that has worked is to accept the bad certificate that is outdated.
Any help would be appreciated.
Thanks,
Greg Ennis