Dovecot Certificates
Problem with certificates and mail servers
Setup
A mail server using dovecot and SSL certificates from certbot (Let’s Encrypt SSL)
Problem (Short)
The certificate from certbot is flagged as invalid by email clients and other mail servers after it expired and got renewed.
Solution (Short)
Restart dovecot after renewing the certificate.
systemctl restart dovecotExplaination
Using certbot for SSL certificates, the expiercy period is three months. After these three months the certificate has to be renewed. This can be done manually using
certbot renewor using an entry in the crontab. The problem here is, that after this renewal, mail clients and other servers still report the certificate outdated, even if the website (mail.dieminger.ch) itself already reports the new certificate. The reason for this is, that the IMAP server dovecot reads the certificate once and then sets up a static string. This is then delivered to everyone who requests it. This means that after a renewal of the certificate, dovecot does not read in the new certificate but still serves the (now) outdated old certificate which it saved. To force dovecot to read in the new certificate, it has to be restarted using
systemctl restart dovecotCombining both commands in a wrapper script and running it every month using cron solves the issue in the long term.
Helpfull stuff about certificates
The current certificates are linked under /etc/letsencrypt/live/<domainname>/. This is where dovecot reads the certificates upon its start.
The certificates are actually stored under /etc/letsencrypt/archive/. Here you can also find the old certificates. To read the certificates in human readable form use the openssl tool with openssl x509 -text -noout -in <certificate_file> To check the hash, use the additional flag -fingerprint. This hash can be comapred to the hash value that the email client recieves. Comparing both you can check which certificate is used by dovecot at the moment.