My first indication that something was amiss was the BlueMail client on my phone complaining about a bad certificate from my email server. I immediately opened Chrome and checked my website. The security button in the browser confirmed that the site's certificate was up to date, and because my email server is set to use the same certificate, I assumed that all was well. Maybe BlueMail had a bad connection when it loaded the latest certificate or something.
Then I tried using one of my nathanmorrison.net
addresses to sign up for
a web service, and I got a message saying that my submission had been flagged
for review.
This was a surprise, because it should have been the kind of basic free signup
that barely required an actually valid address.
After seeing that, I checked Thunderbird, which had a similar error to BlueMail.
This time, though, it gave me enough detail to know that the certificate
it was seeing had expired on the same date that the certificate for my web
server had been renewed.
It would seem that Postfix had some kind of cache of the old certificate
that had somehow not been renewed when it updated.
Restarting the postfix
and dovecot
services immediately fixed the issue
as far as Thunderbird was concerned.
Not too long after that, I got an email about the website signup
that said everything was fine.
Just to be sure, I decided to manually check the certificate.
I used this command to get a response from my server:
openssl s_client -connect mailserver.nathanmorrison.net:465
The certificate shows up as an indecipherable block in the response,
so I copied it into a file called cert
and viewed it like so:
cat cert | openssl x509 -text
This confirmed that my email server is exposing the current certificate.
I'm not sure why this happened this time around when it hasn't happened before. The certificates auto-renew every two or three months, and previous renewals never caused issues. Maybe I should add a cron job to restart postfix on a regular basis. I'm not too concerned about the security of my connections right now, but I hope this is not a symptom of some kind of deeper unknown issue. This may warrant some further investigation in the future.