Thunderbird not updating certificate, keeps using old one and saying it's expired
I have an email server where I have Let's Encrypt SSL certs, expiring every 3 months, and certbot automatically renews it. If I access the server through a website in the browser, the correct and newest SSL certificate is used, but thunderbird complains that the SSL certificate is not valid, by that it has expired.
The complaint is displayed through a dialog window, and if I click to view the certificate through this window, it shows an old certificate that has indeed expired. However, if I click the button "Get certificate", that button itself grays out, but nothing else happens. I tried right-clicking the name of the e-mail address (account) in thunderbird, and going to Settings -> Security and deleted all the certificates for the domain, but somehow still it has the old stored certificate stored.
My setup is dovecot + postfix.
Any ideas?
Solution 1:
Thunderbird does not access the mail using the same server as the browser does. The browser accesses a web server using HTTP/HTTPS while Thunderbird accesses a mail server using the IMAP/IMAPs or POP3/POP3s protocol for receiving mail and the SMTP protocol for sending. These are separate servers with separate configuration, which means that they need to be configured to use the appropriate certificates in the first place and that they must also be restarted when the certificates got renewed.
While it is impossible to say what your specific setup includes (EDIT: after an edit of the question it got clear that it is the setup I've described), a common setup is to use dovecot for receiving mail and postfix for sending. So you might try to look at these software and configurations on your (unknown) system and make sure that these get updated and restarted whenever the certificates change.
Solution 2:
Dovecot may need to be reloaded. I had exactly that case with Postfix+Dovecot+certbot. Certbot was showing the certificate is already renewed, but still the server was using expired certificate. I was able to see that by testing with openssl (Ubuntu):
openssl s_client -connect mydomain.com:993 -quiet
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mydomain.com
verify error:num=10:certificate has expired
notAfter=Dec 5 15:42:11 2020 GMT
verify return:1
depth=0 CN = mydomain.com
notAfter=Dec 5 15:42:11 2020 GMT
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=CRAM-MD5 AUTH=LOGIN AUTH=PLAIN] Dovecot (Ubuntu) ready.
^C
Reload Dovecot:
sudo service dovecot reload
That was enough to fix it in my case. Still it may be worth checking whether reboot is requested for the server:
ls -l /var/run/reboot-required