A user sent me a screen shot she took with her phone of a message she saw while checking her email with Microsoft Outlook 2016 which stated:
Internet Security Warning
The server you are connected to is using a security certificate
that cannot be verified.
A required certificate is not within its validity period when
verifying against the current system clock or the timestamp in
the signed file.
Do you want to continue using this server?
I knew the security certificate, which I obtained from Let's Encrypt, a certificate authority which provides free x.509 certificates, was expiring today, but I expected it to be renewed automatically. I checked the status of the certificate with the openssl command by connecting to port 995, the Post Office Protocol 3 over TLS/SSL port , aka the POP3S port, and saw the following:
$ openssl s_client -connect pop3.moonpoint.com:995
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = support.moonpoint.com
verify error:num=10:certificate has expired
notAfter=Sep 11 00:31:00 2016 GMT
verify return:1
depth=0 CN = support.moonpoint.com
notAfter=Sep 11 00:31:00 2016 GMT
verify return:1
---
Certificate chain
0 s:/CN=support.moonpoint.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbDCCBFSgAwIBAgISA0LlJ8LrKl5QWJNTuUFzBVR6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA2MTMwMDMxMDBaFw0x
NjA5MTEwMDMxMDBaMCAxHjAcBgNVBAMTFXN1cHBvcnQubW9vbnBvaW50LmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2JzmsFeHvqt/VD1KjvYUss
0k4zfN2qLW5/nXcgoGMNdpKh/8kur3660SFNtdMAvCXZk33pfeS7FsgFTife5ZjD
Uprp4iP6OAA1zAxM/WJ4J9hd4RX3XdfOjumIbPZF7ubc4GHIiJvtDZH/VvNgG3oV
3G156ltvhR6pjuyfOouSMsAyF1/RjtGggWRKavM73LZ3tnSdXAa3LZ4wsQtKsGyo
U+AIJix81q+6fv2peQYYhYQ34i8+gNREaIE0GaeFo/2b1mLE+ds9OLxFy1aTcP4R
+NvbwiZHdpVXvsXJmhSek+CWwyBDOFDtmQS4kuw9GGG+hWUw/2Uo2LK2+ECGGecC
AwEAAaOCAnQwggJwMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUhCuG3XVreHE8ex2v
KXgFYQO5EIswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYB
BQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wfgYDVR0RBHcwdYISaW1hcC5tb29ucG9pbnQuY29tgg1tb29u
cG9pbnQuY29tghJwb3AzLm1vb25wb2ludC5jb22CEnNtdHAubW9vbnBvaW50LmNv
bYIVc3VwcG9ydC5tb29ucG9pbnQuY29tghF3d3cubW9vbnBvaW50LmNvbTCB/gYD
VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB
m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs
eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn
L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAuAersicmQ//mmDZp+TonL
YdopelHfChTiX+oI1vtcLO6h0TkEn1VPPC0aKkVwct3/ZxLmSJDkpllUuAkePauj
oY+J5ruEnX1cBmwyHzTaA6uM+DWPGc0EHPaxs5hRsAFTC9RSzVRikL4aTfhoDpUo
1ZHbfOI+8X8h8Y6LXPPjH2Z0zBzlUouBBCpMcNn4Bdpm/BqdNYGz2Sce43AQDOuh
zH33kJfeZMnAITP6O5rIaT021jPn2ZfXkbcne6+QF4j/R8iCmFCyt6fMjuD6dGad
H0A3o0RxmGimr3t7zA+IrGybjwvfwaJVCBEEd2txsrlpqBHbPnM6OtdS0Ca7k+dt
-----END CERTIFICATE-----
subject=/CN=support.moonpoint.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 3260 bytes and written 407 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C916B2177020CED78503A97E558E4727E27DB93377A4667DF14E02F0C891FB8B
Session-ID-ctx:
Master-Key: F76A8B4CD72E591B97DA5231AD429A3A2E5C5311FA8EE84E3A5F96F295C0CFE4
1A4075EED1E1CC156BB8B0B164C28CDE
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 6a f2 d8 2a 23 77 80 f5-c3 db 56 e6 d8 bb 52 66 j..*#w....V...Rf
0010 - 44 70 9b fe 9f 99 56 3d-44 48 25 ea 06 e1 57 ed Dp....V=DH%...W.
0020 - fb ff 07 8a 94 d9 f9 43-75 c5 01 e1 c4 a0 14 06 .......Cu.......
0030 - 46 e2 ad 8e 25 90 61 0b-e3 97 57 18 bd 44 25 44 F...%.a...W..D%D
0040 - 25 bd 9f 85 43 c0 fb b3-a4 2b d8 22 f9 c0 13 bd %...C....+."....
0050 - 5f e7 b2 9a cd f8 45 5c-fd 57 ce 1f 15 bc fe 2e _.....E\.W......
0060 - 00 1e f1 c8 5d 9b 6d b5-10 5d ac dc 36 5e 2e f2 ....].m..]..6^..
0070 - 35 75 b9 5a 96 4f ab 27-e0 98 d0 a4 fe aa 7a 64 5u.Z.O.'......zd
0080 - 17 2c 9d f1 22 5c 70 bc-28 d3 b5 1a 79 41 76 98 .,.."\p.(...yAv.
0090 - 2d 35 66 29 a0 7a 42 49-9b ba b2 b1 58 1d 52 69 -5f).zBI....X.Ri
Start Time: 1473620848
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
+OK Dovecot ready.
QUIT
DONE
$When the email server responded with "+OK Dovecot ready", I typed "QUIT" and the server responded with "DONE" and I was returned to the shell prompt.
The output contained the line "verify error:num=10:certificate has expired" and another line "notAfter=Sep 11 00:31:00 2016 GMT", which indicated the certificate expired early this morning at shortly after midnight Greenwich Mean Time (GMT), about 14 hours before the user reported the problem.
To manually renew the certificate, I logged into the root account on the
email server and ran the command letsencrypt renew.
[root@moonpoint ~]# letsencrypt renew ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/support.moonpoint.com.conf ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- new certificate deployed without reload, fullchain is /etc/letsencrypt/live/support.moonpoint.com/fullchain.pem ------------------------------------------------------------------------------- Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/support.moonpoint.com/fullchain.pem (success) [root@moonpoint ~]#
When I checked the certificate expiration date again by using
openssl s_client -connect pop3.moonpoint.com:995, I saw that
the September 11, 2016 date was still showing as the expiration date.
I restarted the email server software,
Dovecot.
$ service dovecot restart Redirecting to /bin/systemctl restart dovecot.service ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to manage system services or units. Authenticating as: root Password: ==== AUTHENTICATION COMPLETE === $
I then issued the openssl s_client -connect command
again. This time I didn't see any "verify error:num=10:certificate has
expired" line in the response from the server nor any "notAfter" line.
From the system where the certificate resides, you can also check the
expiration of the certificate using an openssl command in the form
openssl x509 -enddate -noout -in file.pem. When I checked
the Let's Encrypt cert.pem file, I could see it was now valid
for another 90 days.
[root@moonpoint ~]# openssl x509 -enddate -noout -in /etc/letsencrypt/live/support.moonpoint.com/cert.pem notAfter=Dec 10 19:08:00 2016 GMT [root@moonpoint ~]#
Note: if you run the command from a non-root account on a Linux system, you will see an error message similar to the one below:
$ openssl x509 -enddate -noout -in /etc/letsencrypt/live/support.moonpoint.com/c
ert.pem
Error opening Certificate /etc/letsencrypt/live/support.moonpoint.com/cert.pem
140249426700192:error:0200100D:system library:fopen:Permission denied:bss_file.c
:398:fopen('/etc/letsencrypt/live/support.moonpoint.com/cert.pem','r')
140249426700192:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate