A couple of days ago, a user showed me a message she saw on her system about a security certificate issue. When I looked at the message, I realized it was due to the expiration of the Let's Encrypt certificate on the email server used by her system. I logged into that system and queried the server with the openssl command to check the expiration date. I saw it had expired that day, March 10.
# echo "quit" | openssl s_client -connect pop3.moonpoint.com:995 -quiet depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = imap.moonpoint.com verify error:num=10:certificate has expired notAfter=Mar 10 19:53:00 2017 GMT verify return:1 depth=0 CN = imap.moonpoint.com notAfter=Mar 10 19:53:00 2017 GMT verify return:1 +OK Dovecot ready. #
From the root account, I renewed the certificate using the command
letsencrypt renew.
I then used openssl to check the certificate again. This time I didn't see the "certificate has expired" message.
# echo "quit" | openssl s_client -connect pop3.moonpoint.com:995 -quiet depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = imap.moonpoint.com verify return:1 +OK Dovecot ready. # echo "quit" | openssl s_client -connect pop3.moonpoint.com:995 | grep "notAfter" depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = imap.moonpoint.com verify return:1 DONE #
When I checked the PEM file for the expiration date, I saw the certificate,
which is stored under the /etc/letsencrypt/live directory, will
now expire on June 8, 2017.
# openssl x509 -enddate -noout -in /etc/letsencrypt/live/moonpoint.com/cert.pem notAfter=Jun 8 20:06:00 2017 GMT #
Related articles:
