Mail client finds wrong SSL certificate

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,554
Location
Maastricht
I have created an SSL certificate which was valid van juli 7th until september 29th or something like that.
Last month I created a wildcard certificate for the same domain.

Now today my Outlook 2013 starts complaining with a popup box (translated from Dutch):
On de server you are connected to, a security certificate is used which can't be validated.
A needed certificate is not within the validity period when looked to the current systemclock or the timestamp
in the signed file

Then I can click on "view certificate" and then it says:
"This certificate is expired or not yet valid".

Issued to: mydomain.nl
Issued by: Lets Encrypt Authority X3
Valid from 2-7-2018 until 30-09-2018

So I login to DA and it says there:
Let's Encrypt in use. Automatic renewal in 29 days.

I check with a script via SSH and this is the result:
Lets Encrypt domain: geertsthuis.nl
subjectAltName=DNS:mydomain.nl, DNS:mail.mydomain.nl, DNS:pop.mydomain.nl, DNS:smtp.mydomain.nl, DNS:www.mydomain.nl
-- Created: Sat Sep 1 04:32:07 CEST 2018 - 1535769127
-- Renewal: Wed Oct 31 03:32:07 CET 2018
-- Renewal in 29 days.

So this corresponds with what I see in Directadmin and the date I created the wildcard certificate.

This is how my /data/users/myaccount/domains folder looks like:
Code:
-rw-r----- 1 diradmin access   1.7K 2018-09-01 04:32 mydomain.nl.cacert
-rw-r----- 1 diradmin access   2.6K 2018-09-01 04:32 mydomain.nl.cert
-rw-r----- 1 diradmin access   4.2K 2018-09-01 04:32 mydomain.nl.cert.combined
-rw-r----- 1 diradmin access     11 2018-09-01 04:32 mydomain.nl.cert.creation_time
-rw-r--r-- 1 root     root     4.2K 2018-09-01 04:32 mydomain.nl.cert.new.tmp
-rw------- 1 diradmin diradmin  495 2018-09-22 14:56 mydomain.nl.conf
-rw-r----- 1 diradmin access   1.8K 2018-09-01 04:32 mydomain.nl.csr
-rw------- 1 diradmin diradmin  333 2017-03-08 15:45 mydomain.nl.ftp
-rw------- 1 diradmin diradmin   13 2018-09-22 14:56 mydomain.nl.ip_list
-rw-r----- 1 diradmin access   3.2K 2018-09-01 04:32 mydomain.nl.key
-rw-r--r-- 1 diradmin diradmin    0 2014-05-18 01:46 mydomain.nl.mime.types
-rw------- 1 diradmin diradmin  421 2017-12-13 15:39 mydomain.nl.san_config
-rw------- 1 diradmin diradmin    0 2014-05-18 00:08 mydomain.nl.subdomains
-rw------- 1 diradmin diradmin   52 2018-10-01 04:22 mydomain.nl.usage

I checked and both first lines of mydomain.nl.cert and mydomain.nl.cert.new.tmp are different from what I'm seeing in Directadmin. I don't know if that should be the case.
mydomain.nl.cert has this first part of the first line:
MIIHWzCCBkOgAwIBA

mydomain.nl.cert.new.tmp has this:
MIIEkjCCA3qgAwIBAg

The mydomain.nl.cert.combined file contains both these certificates.

However in directadmin it looks like this:
MIIJKAIBAAKCAgEAuw

Maybe that's normal, I'm not sure, just mentioning it.

The content of the mydomain.nl.cert.creation_time is:
1535769127

How come my Outlook client is still seeing an old certificate when login in to the server? And how can I fix it so Outlook 2013 will see the new certificate?
 
Hello Richard,

Make sure Dovecot restart since the cert reissue.

SMTP shows the valid cert, but dovecot fails to show a valid cert.
 
Hello Alex.

Didn't expect the solution to be that easy.:)

Restarting Dovecot indeed fixed the issue.

Thank you!
 
Back
Top