After an update of ISPConfig, I can no longer access my mail on Thunderbird. I believe that I selected to renew the keys. My mail server is hosted on a shared Linode 4 GB node and has been in service since Aug 2023. System: 6.8.0-85-generic #85-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep 18 15:26:59 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux with current updates. I believe that I still receive mail from the Web. The Roundcube Webmail 1.6.6 site doesn't work. I did restore the Postfix back up cert and key. Please let me know if you need addition information. What is the best option to fix it? Change some files Restore the backup made with the update Restore the Linode back up Jens I am a little rusty writing help requests.
Restore certificate and key not only in postfix but dovecot and webserver too. Restart all services and it will probably work again. Though it's a bit strange an ISPC update broke certificates. Normally the update should skip renewing the system certificate if a valid one is found by default. Unless you choose to renew regardless.
Unless you manually configured SSL certificates, all certificates for these services are symlinks to the SSL certificate in /usr/local/ispconfig/interface/ssl/ folder. Unpack the ispconfig backup that was created before the update; it's in a subfolder of /var/backup/. Copy the SSL certificate and key and .pem file from the backup to /usr/local/ispconfig/interface/ssl/ and restart the mail and http services.
If I were you, I won't attempt restoring first, but I'd simply force update ISPConfig and opt to create ssl certs for the server again. Only if that doesn't work, then I'll opt for restore, as they described above.
Thank you remkoh, Till and ahrasis. My webserver is fine. I went looking for the certificates and found them (just as Till said). In /usr/local/ispconfig/interface/ssl/, I renamed the ispserver .* to ispserver*.broke and ispserver*.bak to isperver*. For dhparam4096.pem, there was no backup file. I made sure that all the links to these file were correct. I put /etc/postfix in a git repository, but /etc/dovecot, /etc/rspam and /usr/local/ispconfig/interface/ssl/ were not. Now I am getting Code: dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 1 secs): user=<>, rip=<starlink ip address>, lip=<linode ip address>, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<iKSghqxBsmGB3kOl> Can I assume that the dhparam4096.pem is the issue? If so, what is the best way to fix it? If not , where to look next. Jens P.S. Please note that I am not a “New Member.” I am so old that my earlier post are no longer on my account. I attribute to the ISPConf team that matured the server, that I did not need support and became rusty.
Why assume when the message clearly says its your ssl certs? Manually restoring your old certs does not help because you might have broken the symlink between ispconfig ssl certs and dovecot (as well as other services). Among other reason to create the certs during ISPConfig force update. The file dhparam also comes with ISPConfig package that should be restored when ISPConfig is updated. I would also resync all services thereafter but that just me sharing my way. There could be a better safer way to do that, but my knowledge is limited as I do not run a mail server.
Solved I followed Till's instructions and carefully repeat the steps. I then used ahrasis response and looked into the ssl certs and found an issue with one of them. Thanks Till and ahrasis
