A user sent me a screen shot she took with her phone of a message she saw while checking her email with Microsoft Outlook 2016 which stated:
Internet Security Warning
The server you are connected to is using a security certificate
that cannot be verified.
A required certificate is not within its validity period when
verifying against the current system clock or the timestamp in
the signed file.
Do you want to continue using this server?
I knew the security certificate, which I obtained from Let's Encrypt, a certificate authority which provides free x.509 certificates, was expiring today, but I expected it to be renewed automatically. I checked the status of the certificate with the openssl command by connecting to port 995, the Post Office Protocol 3 over TLS/SSL port , aka the POP3S port, and saw the following:
$ openssl s_client -connect pop3.moonpoint.com:995 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = support.moonpoint.com verify error:num=10:certificate has expired notAfter=Sep 11 00:31:00 2016 GMT verify return:1 depth=0 CN = support.moonpoint.com notAfter=Sep 11 00:31:00 2016 GMT verify return:1 --- Certificate chain 0 s:/CN=support.moonpoint.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFbDCCBFSgAwIBAgISA0LlJ8LrKl5QWJNTuUFzBVR6MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA2MTMwMDMxMDBaFw0x NjA5MTEwMDMxMDBaMCAxHjAcBgNVBAMTFXN1cHBvcnQubW9vbnBvaW50LmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2JzmsFeHvqt/VD1KjvYUss 0k4zfN2qLW5/nXcgoGMNdpKh/8kur3660SFNtdMAvCXZk33pfeS7FsgFTife5ZjD Uprp4iP6OAA1zAxM/WJ4J9hd4RX3XdfOjumIbPZF7ubc4GHIiJvtDZH/VvNgG3oV 3G156ltvhR6pjuyfOouSMsAyF1/RjtGggWRKavM73LZ3tnSdXAa3LZ4wsQtKsGyo U+AIJix81q+6fv2peQYYhYQ34i8+gNREaIE0GaeFo/2b1mLE+ds9OLxFy1aTcP4R +NvbwiZHdpVXvsXJmhSek+CWwyBDOFDtmQS4kuw9GGG+hWUw/2Uo2LK2+ECGGecC AwEAAaOCAnQwggJwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUhCuG3XVreHE8ex2v KXgFYQO5EIswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYB BQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu Y3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl bmNyeXB0Lm9yZy8wfgYDVR0RBHcwdYISaW1hcC5tb29ucG9pbnQuY29tgg1tb29u cG9pbnQuY29tghJwb3AzLm1vb25wb2ludC5jb22CEnNtdHAubW9vbnBvaW50LmNv bYIVc3VwcG9ydC5tb29ucG9pbnQuY29tghF3d3cubW9vbnBvaW50LmNvbTCB/gYD VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAuAersicmQ//mmDZp+TonL YdopelHfChTiX+oI1vtcLO6h0TkEn1VPPC0aKkVwct3/ZxLmSJDkpllUuAkePauj oY+J5ruEnX1cBmwyHzTaA6uM+DWPGc0EHPaxs5hRsAFTC9RSzVRikL4aTfhoDpUo 1ZHbfOI+8X8h8Y6LXPPjH2Z0zBzlUouBBCpMcNn4Bdpm/BqdNYGz2Sce43AQDOuh zH33kJfeZMnAITP6O5rIaT021jPn2ZfXkbcne6+QF4j/R8iCmFCyt6fMjuD6dGad H0A3o0RxmGimr3t7zA+IrGybjwvfwaJVCBEEd2txsrlpqBHbPnM6OtdS0Ca7k+dt -----END CERTIFICATE----- subject=/CN=support.moonpoint.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Server Temp Key: ECDH, secp384r1, 384 bits --- SSL handshake has read 3260 bytes and written 407 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: C916B2177020CED78503A97E558E4727E27DB93377A4667DF14E02F0C891FB8B Session-ID-ctx: Master-Key: F76A8B4CD72E591B97DA5231AD429A3A2E5C5311FA8EE84E3A5F96F295C0CFE4 1A4075EED1E1CC156BB8B0B164C28CDE Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 6a f2 d8 2a 23 77 80 f5-c3 db 56 e6 d8 bb 52 66 j..*#w....V...Rf 0010 - 44 70 9b fe 9f 99 56 3d-44 48 25 ea 06 e1 57 ed Dp....V=DH%...W. 0020 - fb ff 07 8a 94 d9 f9 43-75 c5 01 e1 c4 a0 14 06 .......Cu....... 0030 - 46 e2 ad 8e 25 90 61 0b-e3 97 57 18 bd 44 25 44 F...%.a...W..D%D 0040 - 25 bd 9f 85 43 c0 fb b3-a4 2b d8 22 f9 c0 13 bd %...C....+.".... 0050 - 5f e7 b2 9a cd f8 45 5c-fd 57 ce 1f 15 bc fe 2e _.....E\.W...... 0060 - 00 1e f1 c8 5d 9b 6d b5-10 5d ac dc 36 5e 2e f2 ....].m..]..6^.. 0070 - 35 75 b9 5a 96 4f ab 27-e0 98 d0 a4 fe aa 7a 64 5u.Z.O.'......zd 0080 - 17 2c 9d f1 22 5c 70 bc-28 d3 b5 1a 79 41 76 98 .,.."\p.(...yAv. 0090 - 2d 35 66 29 a0 7a 42 49-9b ba b2 b1 58 1d 52 69 -5f).zBI....X.Ri Start Time: 1473620848 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- +OK Dovecot ready. QUIT DONE $
When the email server responded with "+OK Dovecot ready", I typed "QUIT" and the server responded with "DONE" and I was returned to the shell prompt.
The output contained the line "verify error:num=10:certificate has expired" and another line "notAfter=Sep 11 00:31:00 2016 GMT", which indicated the certificate expired early this morning at shortly after midnight Greenwich Mean Time (GMT), about 14 hours before the user reported the problem.
To manually renew the certificate, I logged into the root account on the
email server and ran the command letsencrypt renew
.
[root@moonpoint ~]# letsencrypt renew ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/support.moonpoint.com.conf ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/support.moonpoint.com/fullchain.pem ------------------------------------------------------------------------------- Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/support.moonpoint.com/fullchain.pem (success) [root@moonpoint ~]#
When I checked the certificate expiration date again by using
openssl s_client -connect pop3.moonpoint.com:995
, I saw that
the September 11, 2016 date was still showing as the expiration date.
I restarted the email server software,
Dovecot.
$ service dovecot restart Redirecting to /bin/systemctl restart dovecot.service ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to manage system services or units. Authenticating as: root Password: ==== AUTHENTICATION COMPLETE === $
I then issued the openssl s_client -connect
command
again. This time I didn't see any "verify error:num=10:certificate has
expired" line in the response from the server nor any "notAfter" line.
From the system where the certificate resides, you can also check the
expiration of the certificate using an openssl command in the form
openssl x509 -enddate -noout -in file.pem
. When I checked
the Let's Encrypt cert.pem
file, I could see it was now valid
for another 90 days.
[root@moonpoint ~]# openssl x509 -enddate -noout -in /etc/letsencrypt/live/support.moonpoint.com/cert.pem notAfter=Dec 10 19:08:00 2016 GMT [root@moonpoint ~]#
Note: if you run the command from a non-root account on a Linux system, you will see an error message similar to the one below:
$ openssl x509 -enddate -noout -in /etc/letsencrypt/live/support.moonpoint.com/c ert.pem Error opening Certificate /etc/letsencrypt/live/support.moonpoint.com/cert.pem 140249426700192:error:0200100D:system library:fopen:Permission denied:bss_file.c :398:fopen('/etc/letsencrypt/live/support.moonpoint.com/cert.pem','r') 140249426700192:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate