Dovecot - 10-ssl.conf - Letsencrypt Certificates

PoMec · May 24, 2023, 9:31pm

I have a Rocky 8.8 postfix/dovecot virtual e-mail server that has been working without a problem for over one year. I am using letsencrypt certificates that are renewed every 3 months. This last week the server is presenting certificates that are out of date and related to the original certificates that were created by letsencrypt. postfix seems to be appropriately using the correct certificates but dovecot is not.

Have any of you had a similar problem? I finally had to direct the users to accept the bad certificate in order to get their e-mail to function.

Here is a copy of my 10-ssl.conf file -

plain imap and pop3 are still allowed for local connections

ssl = required

PEM encoded X.509 SSL/TLS certificate and private key. They’re opened before

dropping root privileges, so keep the key file unreadable by anyone but

root. Included doc/mkcert.sh can be used to easily generate self-signed

certificate, just make sure to update the domains in dovecot-openssl.cnf

removed 05/24/2023 to test certificates

ssl_cert = </etc/letsencrypt/live/post..net/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..net/privkey.pem

local_name post..net {
ssl_cert = </etc/letsencrypt/live/post..net/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..net/privkey.pem
}
local_name post..com {
ssl_cert = </etc/letsencrypt/live/post..com/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..com/privkey.pem
}
local_name post..com {
ssl_cert = </etc/letsencrypt/live/post..com/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..com/privkey.pem
}
local_name post..com {
ssl_cert = </etc/letsencrypt/live/post..com/fullchain.pem
ssl_key = </etc/letsencrypt/live/post..com/privkey.pem
}

ssl_client_ca_dir = /etc/ssl/certs
ssl_cipher_list = PROFILE=SYSTEM

Please note that the first certificate above is teh same as the first local certificate, and when dovecot presents a certificate it presents an outdated certificate of the first local certificate. I have tried changng the addesses of the certificates to use a non linked address in the letsencrypt ‘archive’ sudirectory which did not remedy the problem. I have deleted teh certificates on teh remote machines and tried to accept new certificates but the new ones are still the same. The only thing that has worked is to accept the bad certificate that is outdated.

Any help would be appreciated.

Thanks,

Greg Ennis

Topic		Replies	Views
Missing dovecot certs Rocky Linux General rocky-linux-9	6	286	December 29, 2023
Postfix Certificate problem Rocky Linux General	41	1757	August 25, 2023
LetsEncrypt provides correct certificate, but doesn't work Rocky Linux General	25	1327	August 25, 2023
Problem certificate ssl Rocky Linux General	2	547	August 24, 2023
TLS errors in unbound Rocky Linux General	8	922	August 25, 2023