A couple of users notified me that they were receiving warning messages
regarding the security certificate on their email server when they were
checking email with
Microsoft Outlook. I checked the expiration date on the security
certificate for the email server with the
OpenSSL command
openssl s_client -connect pop3.moonpoint.com:995
(the
system is using
Dovecot, which
is an
open-source
IMAP/POP3
software program providing users with the ability to download their email).
Dovecot listens on
TCP
port 995 for
POP3S secure
email connections for downloading email.
$ openssl s_client -connect pop3.moonpoint.com:995 CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = moonpoint.com verify error:num=10:certificate has expired notAfter=Mar 27 17:43:56 2022 GMT verify return:1 depth=0 CN = moonpoint.com notAfter=Mar 27 17:43:56 2022 GMT verify return:1 --- Certificate chain 0 s:/CN=moonpoint.com i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- <text snipped> +OK Dovecot ready. quit closed $
I could see the certificae was expired and I issued the quit
command when I saw the "OK Dovecot ready" prompt.
The email security certificate on the system is provided by
Let's Encrypt,
so I then tried renewing the certificate from the root account with the
letsencrypt renew
command, but was unsuccessful.
$ su - root Password: Last login: Mon Apr 4 10:13:03 EDT 2022 on pts/0 [root@moonpoint ~]# letsencrypt renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/moonpoint.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate for moonpoint.com and 2 more domains Performing the following challenges: http-01 challenge for moonpoint.com http-01 challenge for support.moonpoint.com http-01 challenge for www.moonpoint.com Cleaning up challenges Failed to renew certificate moonpoint.com with error: Problem binding to port 80: Could not bind to IPv4 or IPv6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/support.moonpoint.com-0001.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/support.moonpoint.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate for moonpoint.com and 5 more domains Performing the following challenges: http-01 challenge for moonpoint.com http-01 challenge for support.moonpoint.com http-01 challenge for www.moonpoint.com http-01 challenge for imap.moonpoint.com http-01 challenge for pop3.moonpoint.com http-01 challenge for smtp.moonpoint.com Cleaning up challenges Failed to renew certificate support.moonpoint.com with error: Problem binding to port 80: Could not bind to IPv4 or IPv6. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificates are not due for renewal yet: /etc/letsencrypt/live/support.moonpoint.com-0001/fullchain.pem expires on 2022-05-27 (skipped) All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/moonpoint.com/fullchain.pem (failure) /etc/letsencrypt/live/support.moonpoint.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2 renew failure(s), 0 parse failure(s) #
I found the solution was to stop the Apache web server software running on the system, thanks to a post by JuergenAuer at Renewing certificate getting error: Problem binding to port 80: Could not bind to IPv4 or IPv6. After I stopped the web server software, I was able to reissue the letsencrypt command to renew the certificate without the "Problem binding to port 80" error message. I then restarted the Apache web server software and Dovecot.
# apachectl stop # letsencrypt renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/moonpoint.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate for moonpoint.com and 2 more domains Performing the following challenges: http-01 challenge for moonpoint.com http-01 challenge for support.moonpoint.com http-01 challenge for www.moonpoint.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/moonpoint.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/support.moonpoint.com-0001.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/support.moonpoint.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Renewing an existing certificate for moonpoint.com and 5 more domains Performing the following challenges: http-01 challenge for imap.moonpoint.com http-01 challenge for pop3.moonpoint.com http-01 challenge for smtp.moonpoint.com Waiting for verification... Cleaning up challenges - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - new certificate deployed without reload, fullchain is /etc/letsencrypt/live/support.moonpoint.com/fullchain.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificates are not due for renewal yet: /etc/letsencrypt/live/erinfionacameron.com/fullchain.pem expires on 2022-05-26 (skipped) /etc/letsencrypt/live/support.moonpoint.com-0001/fullchain.pem expires on 2022-05-27 (skipped) Congratulations, all renewals succeeded: /etc/letsencrypt/live/moonpoint.com/fullchain.pem (success) /etc/letsencrypt/live/support.moonpoint.com/fullchain.pem (success) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # apachectl start # service dovecot restart Redirecting to /bin/systemctl restart dovecot.service #
When I checked the new expiration date with an
openssl x509 -enddate -noout -in
command, I saw it is now
July 4, 2022.
# openssl x509 -enddate -noout -in /etc/letsencrypt/live/moonpoint.com/cert.pem notAfter=Jul 4 19:23:41 2022 GMT #
Related articles: