[BlueOnyx:22965] letsencrypt certificates error

Maurice de Laat mdlaat at muisnetwerken.nl
Wed Jun 26 04:27:19 -05 2019 

Hi list,

This morning I got a notice that several from our websites produced 
errors on expired certificates. Same issue on imap clients trying to 
connect.
I wanted to share my findings with you, wondering how this can be 
prevented in the future. I have letsencrypt certificates running for a 
long time, but this is the first time this situation happened to me.

All certificates of all websites and the gui were not expired. Checked 
that with the openssl commandline tool:
#openssl x509 -enddate  -in /home/sites/{domainname}/certs/certificate
notAfter=Aug 24 21:31:03 2019 GMT

However, browsing presented me an older certificate:
Expires On    Wednesday, June 26, 2019 at 3:36:57 AM

The renewal script for letsencrypt was being scheduled by cron:
cron:Jun 26 03:36:08 vps run-parts(/etc/cron.daily)[19096]: finished 
letsencrypt.cron

I manually ran "/usr/sausalito/sbin/letsencrypt_autorenew.pl -a" which 
confirmed that all certificates were not expired.
NOT renewing SSL certificate for 'AdmServ' as it's still good. 
(expiration date: 2019-08-24T21:30:28)

NOT renewing SSL certificate for '{domainname}' as it's still good. 
(expiration date: 2019-08-24T21:31:03)
[...]

Renewal Checks: Done!

Nginx was running for 2 months and 16 days:
Active: active (running) since Wed 2019-04-10 11:00:48 CEST; 2 months 16 
days ago
Apparently, it had cached the old certificates because after a restart 
of nginx all browsers were happy again.

Now for dovecot. Dovecot certificate is stored in 
/etc/pki/dovecot/certs/dovecot.pem, and that one was indeed expired.
#openssl x509 -enddate  -in sendmail.pem
notAfter=Jun 26 01:35:17 2019 GMT

I copied the certificate of the gui (/etc/admserv/certs/certificate) 
over to dovecot. And after dovecot got a restart, imap clients were 
happy again.

Sendmail also presented a expired certificate, although that does not 
stop most email server from sending and accepting mail. It is stored in 
/usr/share/ssl/certs/sendmail.pem
#openssl x509 -enddate  -in sendmail.pem
notAfter=Jun 26 01:35:17 2019 GMT

Sendmail.pem contains the rsa private key as well as the certificate. So 
I copied them from the GUI certificate:
#cp /etc/admserv/certs/key sendmail.pem
#cat /etc/admserv/certs/certificate >> sendmail.pem
After a restart, sendmail presented the non-expired certificate.

I am wondering how this can be prevented in the future. I have 
letsencrypt certificates running for a long time, but this is the first 
time this situation happened to me.

Kind regards,
Maurice

More information about the Blueonyx mailing list