Strange problem that Outlook cant connect to the mail server domain because of expired domain SSL when the certificate is renewed. New ispc 3.2.12 + Apache + Acme.sh on Debian 12. lets say the domain name (its a vhost on the server, not the main server domain) is mail.xsrver.com The domain is created in ISPC The SSL and LE are created, and the expiration date is today 17.09 at 10 o'clock. Outlook doesn't want to connect to expired SSL domain on the 17.09. --- We delete the ssl from ISPC we manualy rewoke domain with acme.sh --revoke -d mail.xsrver.com we remove the domain from /root/.acme.sh/mail.xsrver.com we remove the SSL from /var/www/clients/client1/web1/ssl/* we restart dovecot, postfix, apache2 (we even restarted the server) We create the ssl and LE from ISPC We check /root/.acme.sh/ and /var/www/clients/client1/web1/ssl/ and everything is ok and all the new certs are in place. If we open https://mail.xsrver.com it shows the new certificate and the connection is secured if from shell i try: curl -I https://mail.xsrver.com it gives the old expiration date, the same that outlook sees when connecting to it: ---- HTTP/2 200 expires: Tue, 17 Sep 2024 05:42:49 GMT cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-frame-options: sameorigin content-language: en set-cookie: roundcube_sessid=hu94pnhlk9j5qdsf2rubk06ho0; path=/; secure; HttpOnly last-modified: Tue, 17 Sep 2024 05:42:49 GMT x-robots-tag: noindex, nofollow content-type: text/html; charset=UTF-8 date: Tue, 17 Sep 2024 05:42:49 GMT server: Apache --- WHERE IN HELL IS IT CACHING IT? Does roundcube maybe has its own ssl cache or header cache or something? I cannot think this out...
Most likely, nothing is cached; you just have copies of the old cert. If not, everything is symlinked properly in your manual SSL certs setup. The certificate for postfix is normally the one from ISPConfig and not a website cert. You might want to compare your setup with the instructions from here to avoid cert renewal problems: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
Unfortunately the problem is still present and lot of the customers are arguing. If i open the website something.com or its mail.something.com the certificate is the new one. But if i try to add the mailbox on a brand new laptop which never opened any of this pages and try to setup outlook on win or mail on mac, they both show the expired ssl. so apache or postfix or somebody is cachibg the old cert. the mails are setup with a separate mail.something domain and cert through /etc/postfix/domain_ssl.map Can you please share some ideas where shoud we find this old certs?
SOLVED IT (somehow) by mapping again (postmap -F hash:/etc/postfix/domain_ssl.map) and restart the dovecot and postfix services. BUT i cannot do it manually by looking every hour if somebody's SSL is renewed. How can i create an cron which would be started if there is a renewed cert by acme? BR
If it happens on email and works on web, then the issue is not apache related. Either postfix or dovecot still uses the old cert then. Restart postfix and dovecot and test again.
That's one reason we recommend not using SSL certs per client domain but just one cert for the whole server, as all larger providers do. You can use systemd to detect changes in files and folders and to run a command or script in that case.
