Email SSL handshake error - intermediate certificates expired

Zj410

I renewed my let's encrypt certificate today, website is working fine, but I am unable to connect to my email server:

Email:

$ openssl s_client -connect my-website.com:995 -servername my-website.com

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=10:certificate has expired
notAfter=Sep 15 16:00:00 2025 GMT
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
notAfter=Sep 15 16:00:00 2025 GMT
verify return:1
depth=0 CN = my-website.com
verify error:num=10:certificate has expired
notAfter=Aug 2 07:42:17 2024 GMT
verify return:1
depth=0 CN = my-website.com
notAfter=Aug 2 07:42:17 2024 GMT

verify return:1

Certificate chain
0 s:CN = my-website.com
i:C = US, O = Let's Encrypt, CN = R3
a😛KEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 4 07:42:18 2024 GMT; NotAfter: Aug 2 07:42:17 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a😛KEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT

...

SSL handshake has read 3159 bytes and written 403 bytes

Verification error: certificate has expired

For comparison, here is the readout for web/https:

$ openssl s_client -connect my-website.com:443 -servername my-website.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R13
verify return:1
depth=0 CN = *.my-website.com

verify return:1

Certificate chain
0 s:CN = *.my-website.com
i:C = US, O = Let's Encrypt, CN = R13
a😛KEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 11 12:36:44 2025 GMT; NotAfter: Jan 9 12:36:43 2026 GMT
1 s:C = US, O = Let's Encrypt, CN = R13
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a😛KEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

SSL handshake has read 3159 bytes and written 403 bytes

Verification: OK

It appears that ISRG / Let's Encrypt root and intermediate certificates haven't been updated for email. I copied Private Key and PEM, etc keys into the correct boxes under the Email Server in aaPanel, but I'm guessing this isn't enough to update the intermediate certificates for the email server?

How do I update the intermediate certificates for the email server? Thanks

Zj410

I'm running Debian 12
aaPanel 7.0.26
Email server 7.37

Zj410

Problem fixed by re-pasting the certificates from Website into Email Server > SSL. There is a little note below where you paste into the email server that gave me a clue:

"If the browser prompts that the certificate chain is incomplete, please check if the PEM certificate is correctly spliced correctly"