No lets encrypt certificate for Haraka after dns change
-
Hi,
I moved some of my dns settings yesterday evening from the wildcard/manual configuration type to the Cloudflare one (including moving these domains to Cloudflare in general).
It initially looked good yesterday evening (after syncing dns and forcing cert renewal where i got the known
domain must be a stringmessage), but this morning I had problems accessing the Dashboard on that server (hsts error, self signed cert instead of the le one) and after restarting the whole server Nginx picked up the correct certificates again. Next issue was Dovecot for port 993, here another restart of the mail container made it pick up the correct cert as well. The one thing still remaining is Haraka for port 587.Host Status Expires Days ----------------------------------------------- ------------ ------------ ---- 9wd.eu:443 Valid May 5 2021 44 my.9wd.eu:443 Valid Jun 19 2021 89 my.9wd.eu:993 Valid Jun 19 2021 89 unable to load certificate 140469961258648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE unable to load certificate 140624968820376:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE unable to load certificate 140564895733400:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE unable to load certificate 140654917621400:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE my.9wd.eu:587 Expired -2459296(output from https://github.com/Matty9191/ssl-cert-check)
I exec'ed into the container, but Haraka is configured to use the same certificate as Dovecot so I am not quite sure why it does not actually show the same validity.
-
Hi,
I moved some of my dns settings yesterday evening from the wildcard/manual configuration type to the Cloudflare one (including moving these domains to Cloudflare in general).
It initially looked good yesterday evening (after syncing dns and forcing cert renewal where i got the known
domain must be a stringmessage), but this morning I had problems accessing the Dashboard on that server (hsts error, self signed cert instead of the le one) and after restarting the whole server Nginx picked up the correct certificates again. Next issue was Dovecot for port 993, here another restart of the mail container made it pick up the correct cert as well. The one thing still remaining is Haraka for port 587.Host Status Expires Days ----------------------------------------------- ------------ ------------ ---- 9wd.eu:443 Valid May 5 2021 44 my.9wd.eu:443 Valid Jun 19 2021 89 my.9wd.eu:993 Valid Jun 19 2021 89 unable to load certificate 140469961258648:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE unable to load certificate 140624968820376:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE unable to load certificate 140564895733400:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE unable to load certificate 140654917621400:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE my.9wd.eu:587 Expired -2459296(output from https://github.com/Matty9191/ssl-cert-check)
I exec'ed into the container, but Haraka is configured to use the same certificate as Dovecot so I am not quite sure why it does not actually show the same validity.
@fbartels port 587 uses STARTTLS i.e the connection starts out as plain text and when the STARTTLS extension is detected, it will upgrade to TLS.
You can verify it like this instead (and I can confirm the cert is fine):
openssl s_client -starttls smtp -connect my.9wd.eu:587 -
@fbartels port 587 uses STARTTLS i.e the connection starts out as plain text and when the STARTTLS extension is detected, it will upgrade to TLS.
You can verify it like this instead (and I can confirm the cert is fine):
openssl s_client -starttls smtp -connect my.9wd.eu:587
