SSL Certificate not updating in Mac Mail

I have a Let's Encrypt daemon running which updates the domain ssl certificates on a regular basis.

I've set up my mail address and it worked happily for a long time but now Mac Mail is not updating the certificate although the certificate is renewed. Which I can see when I open strongstaff.de in Firefox and view the certificate information.

Does someone know if this is a known bug in the Mac Mail software or is there a way to update the certificate in MacOSX or do I need to propagate the update somehow?

Solution 1:

There's nothing wrong with Mac OS X. It is correctly reporting that the server's certificate has expired, because the server is indeed sending an expired certificate.

but now Mac Mail is not updating the certificate although the certificate is renewed. Which I can see when I open strongstaff.de in Firefox and view the certificate information

You're looking at the certificate of a completely different service! Firefox is connecting to the HTTP server, but Mac Mail is connecting to the IMAP and SMTP servers. Even if they all run on the same IP address, they're still three separate programs which have separate TLS configurations (and provide their services on different TCP ports).

So your LE renewal daemon was configured to install the new certificate into the web server, but it didn't tell the mail services about the renewal, and so e.g. Dovecot on mail.valoric.de:993 (IMAPS) is actually still using an old certificate which expired on the 21th.

You can see this for yourself using gnutls-cli <host> -p 993 on Linux.