SSL Bad Certificate warning

ETNyx

Keys seems to be newly rotated,..

            Not Before: Nov 14 07:48:20 2025 GMT
            Not After : Feb 12 07:48:19 2026 GMT

did you made restart? or down and up whole stack?

fmaddict

ETNyx I’ve tried both restarting the whole VM and just taking the stack up and down, with a few different certificates over a few days, freshly renewed each time to try and rule something out from that.

esackbauer all I get when trying to add an account in Thunderbird is “Thunderbird failed to find the settings for your email account” which isn’t at all helpful. Previously added accounts just don’t load anything and do not show any errors either.
Account details are definitely correct as the work in the webmail. Plus they used to work in thunderbird before what ever happened.
As for the DNS, it’s all still there too. This has been working for over a year without issues prior to this.
server is on mail2.website-inator.com if that helps

esackbauer

Without sharing your mailcow server host address its difficult to say whats the problem.
Also the log files of Thunderbird and exact error messages would help.
Maybe you have not all required DNS names (SAN) in your Nginx Proxy Manager certificates?
https://docs.mailcow.email/getstarted/prerequisite-dns/#the-minimal-dns-configuration

esackbauer

fmaddict “Thunderbird failed to find the settings for your email account” which isn’t at all helpful.

It is helpful as it indicates you are missing the autodiscover.website-inator.com and autoconfig.website-inator.com from your certificate. And checking your certificate on mail2.website-inator.com confirms this.

fmaddict

esackbauer I am still getting the same error on manual configuration, which shoudn’t rely on the autos. The DNS records are there for them anyway.
I’ve been swapping between trying wildcard cert and for the specific URL for testing, and had left it on the specific. It’s back to wildcard and the issues remain.

esackbauer

fmaddict the same error on manual configuration,

Could be that Thunderbird tries to overrule it. Maybe you have in Thunderbird settings the experimenal new account configuration activated? Try to deactivate it.

fmaddict The DNS records are there for them anyway.

That is another problem, if Thunderbird finds the DNS names, it expects a proper certificate.

fmaddict I’ve been swapping between trying wildcard cert

Wildcard certs are not supported by mailcows dovecot and postfix as far as i know.

fmaddict

esackbauer Could be that Thunderbird tries to overrule it. Maybe you have in Thunderbird settings the experimenal new account configuration activated? Try to deactivate it.

The experimental setting is not enabled. Also as previously mentioned other software trying to send emails through this server are having issues with their previously working set ups.

esackbauer Wildcard certs are not supported by mailcows dovecot and postfix as far as i know.

All the information I’m finding is saying otherwise.

Either way, I think the bigger issue here is why is this error coming up in postfix logs. This isn’t just about Thunderbird setup, I only mentioned that as a symptom that I have noticed. Also when running the expiry-dates.sh helper script, why does Dovecot not show a certificate at all?

esackbauer

Maybe the certificate file is incomplete. As per documentation:

save the combined certificate (containing the certificate and intermediate CA/root CA if any) to data/assets/ssl/cert.pem and the corresponding key to data/assets/ssl/key.pem.

fmaddict

esackbauer Maybe the certificate file is incomplete. As per documentation docs.mailcow.emailAdvanced SSL - mailcow: dockerized documentationNone :

The same issues exist wether using the fullchain.pem, or cert.pem from what’s downloaded from NGINX proxy manager. Historically using the cert.pem has been fine. When using chain.pem from this download the containers do not start properly.
If the certificate file was incomplete I would have expected the inbuilt nginx and postfix to have an issue reading it, which they don’t.

esackbauer

fmaddict TLS expiry dates:
Postfix: Feb 12 07:48:19 2026 GMT
Dovecot:
Nginx: Feb 7 04:36:36 2026 GMT

Could you explain why the certificates have different expiry dates?

DocFraggle

It seems at least your postfix doesn’t serve the whole cert chain

# openssl s_client -connect mail2.website-inator.com:587 -starttls smtp -showcerts
CONNECTED(00000003)
depth=0 CN = *.website-inator.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.website-inator.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.website-inator.com
verify return:1
---
Certificate chain
 0 s:CN = *.website-inator.com
   i:C = US, O = Let's Encrypt, CN = E7
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Nov  4 05:44:12 2025 GMT; NotAfter: Feb  2 05:44:11 2026 GMT

It’s only the server cert, no intermediate

esackbauer

DocFraggle NotAfter: Feb 2 05:44:11 2026 GMT

Now this is the third certificate with another expiry date. If you request them from Nginx and copy them to mailcow as per documentation, they should all have the same expiry date.