Since yesterday, all email clients, including those for Android and iOS, have been giving me problems with Let’s Encrypt certificates. I’m getting messages warning that the certificates are insecure. Even browsers are warning about insecure certificates when trying to access webmail.
When you read the details of the error messages, the problem is with Let’s Encrypt’s R13 intermediate certificates. Has anyone else had a similar problem?
I’ve no issues. Could you please share one of those domains with certificate issues?
I just checked and the problem is that the certificate for mail.nexo21.com expired yesterday and Hestia hasn’t automatically renewed it. Even though the email clients are saying the problem is R13, the issue is that the certificate hasn’t been renewed
Now you should try to figure out the reason it wasn’t renewed.
Check the log that should be here: /var/log/hestia/LE-YourUser-mail.nexo21.com.log
Also, show the output of this command:
grep -rE "LETSENCRYPT_FAIL_COUNT='[^0][0-9]'" /usr/local/hestia/data/users | sed -E "s/(.*):(DOMAIN='[^']+').*(LETSENCRYPT_FAIL_COUNT='[^']+').*/\1 \2 \3/" | column -t
There is no file like that in that path. There are other .log files, but none related to the mail server or domains. “grep” doesn’t show anything
What I see right now is that you have renewed the certificate a couple of hours ago:
{
"id": "13677244024",
"tbs_sha256": "bebbc1d1c4ea3935e4105c1a2000a2fb13a265a00775ca413a68bea49774dde6",
"cert_sha256": "2cf9bca1f2b6d62317ed03d13a061f32e3797cb62009e466f6a4492ac0adb539",
"dns_names": [
"mail.nexo21.com"
],
"pubkey_sha256": "ba1bce3a2d56216572313beea584c6ce6bda607426544f22ce3d160ec461f4d4",
"issuer": {
"friendly_name": "Let's Encrypt",
"pubkey_sha256": "919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4",
"name": "C=US, O=Let's Encrypt, CN=R12"
},
"not_before": "2026-02-04T13:09:15Z",
"not_after": "2026-05-05T13:09:14Z",
"revoked": false
}
It only covers mail.nexo21.com but it doesn’t cover webmail.nexo21.com and it should.
It is being used by web server but not by Exim or Dovecot:
❯ ssl_check mail.nexo21.com 443
2026-02-04 17:56 - Checking mail.nexo21.com on port 443
issuer=C = US, O = Let's Encrypt, CN = R12
subject=CN = mail.nexo21.com
notBefore=Feb 4 13:09:15 2026 GMT
notAfter=May 5 13:09:14 2026 GMT
SANs: mail.nexo21.com
❯ ssl_check mail.nexo21.com 465
2026-02-04 17:56 - Checking mail.nexo21.com on port 465
❯ ssl_check mail.nexo21.com 993
2026-02-04 17:57 - Checking mail.nexo21.com on port 993
1 Like
Yes, just to see if it would fix the problem, two hours ago I disabled SSH on that domain and then re-enabled it. After that, I restarted Dovecot and Exim4 to see if that would solve the problem, but it didn’t
I’m wondering how you were able to issue a certificate only for mail and not mail and webmail…
First I Issued on WEB > mail.nexo21.com and then on MAIL > nexo21.com
You can’t do that, remove the web domain mail.nexo21.com and then issue a certificate for mail domain nexo21.com, it will issue a certificate valid for mail.nexo21.com and webmail.nexo21.com
1 Like
I’m having the same problem. Certificates weren’t renewed, and when trying I get these error:
v-add-letsencrypt-domain myuser mydomain
Error: Let’s Encrypt nonce request status (mydomain)
grep -rE “LETSENCRYPT_FAIL_COUNT=‘[^0][0-9]’” /usr/local/hestia/data/users | sed -E “s/(.):(DOMAIN=‘[^’]+').(LETSENCRYPT_FAIL_COUNT=‘[^’]+').*/\1 \2 \3/” | column -t
/usr/local/hestia/data/users/myuser/web.conf DOMAIN=‘mydomain’ LETSENCRYPT_FAIL_COUNT=‘31’
root@server:/var/log/hestia# cat LE-myuser-mydomain.log
=============================Date Time: 2026-02-01 07:44:02WEB_SYSTEM: apache2PROXY_SYSTEM: nginxuser: myuserdomain: mydomain
aliases: www.mydomain
proto: http-01
wildcard:
==[Step 1]==
status:
nonce:
answer:
=============================Date Time: 2026-02-02 07:44:03WEB_SYSTEM: apache2PROXY_SYSTEM: nginxuser: myuserdomain: mydomain
aliases: www.mydomain
proto: http-01
wildcard:
==[Step 1]==
status:
nonce:
answer:
=============================Date Time: 2026-02-03 07:44:02WEB_SYSTEM: apache2PROXY_SYSTEM: nginxuser: myuserdomain: mydomain
aliases: www.mydomain
proto: http-01
wildcard:
==[Step 1]==
status:
nonce:
answer:
=============================Date Time: 2026-02-04 07:44:03WEB_SYSTEM: apache2PROXY_SYSTEM: nginxuser: myuserdomain: mydomain
aliases: www.mydomain
proto: http-01
wildcard:
==[Step 1]==
status:
nonce:
answer:
=============================Date Time: 2026-02-05 09:47:11WEB_SYSTEM: apache2PROXY_SYSTEM: nginxuser: myuserdomain: mydomain
aliases: www.mydomain
proto: http-01
wildcard:
==[Step 1]==
status:
nonce:
answer:
=============================Date Time: 2026-02-05 09:58:48WEB_SYSTEM: apache2PROXY_SYSTEM: nginxuser: myuserdomain: mydomain
aliases: www.mydomain
proto: http-01
wildcard:
==[Step 1]==
status:
nonce:
answer:
=============================Date Time: 2026-02-05 10:01:27WEB_SYSTEM: apache2PROXY_SYSTEM: nginxuser: myuserdomain: mydomain
aliases:
proto: http-01
wildcard:
==[Step 1]==
status:
nonce:
answer:
this is a different issue, have a look at SSL Certificates | Hestia Control Panel for troubleshooting.
Sorry, I will create a new post
I did it that way because that’s what someone from IONOS technical support told me to do. He was the one who recommended installing the Hestia control panel. It’s been working fine for months, but anyway, I’ll do what you say