I had LE certs apparently expire, as mail quit syncing due to certificate error. Cluster-admin also had cert error opening the browser page. Loading the TLS cert page might have triggered a renewal, as all certs indicated a Jan 6, 2026 expiration, but while SOGo and NextCloud are type=automatic and status=Active (app enabled certs), the node cert is type=requested and status=active. Web UI now serves the updated cert, but mail continues to fail. I notice the following error message in system logs when the cert was ârenewedâ:
2025-10-09T10:35:46-05:00 [1:<mark>traefik</mark>1:<mark>traefik</mark>\] 2025-10-09T15:35:46Z ERR Error while creating certificate store error="unable to find certificate for domains \\"ns8.qzoneinc.com\\": falling back to the internal generated certificate" tlsStoreName=default
What is the problem? This cert has been auto-renewing for several cycles already, and has seemingly died of its own for now reason.
No change at all. Mail clients still pull expired cert. Active node cert still has ârequestedâ type, but expiration is now Jan 7, 2026⌠verified in browser security. Going to restart the server.
This error message appears after Traefik restarts. In this case it is harmless and can be ignored.
If Traefik continues to serve the web site with a self signed certificate where a letâs encrypt one is expected, lookup the acmeCA= string in the Logs page: it is a key to select relevant Traefik log lines.
Very well⌠But no, the cluster-admin web pages are secured by the expected LetsEncrypt certificate. The phone and computer mail apps are not getting the certificate and report an expired cert.
Now I notice, my laptop mail app says the cert was issued by R11, and expired Oct 7. The web cert is issued by R13. Iâve never noticed this before and canât comment on significance?
If you go to Mail > Settings, under the General card, youâd find the server name used by Postfix and Dovecot. Ensure it is listed in the Requested certificate.
No other names. Still valid DNS, all point to server IP. As I mentioned, two other LE certs have successfully renewed and work (SOGo and NextCloud), just the node cert in question (that happens to be associated with mail.
If the TLS certificates page lists only valid certs (included the one for Mail) and Mail still presents a different one, expired, that means it didnât receive the cert update event.
Did you already reboot the node as said? Try to restart only Mail, from the software center page (itâs a 3.12 core feature).
Just tried to recreate the cert by adding an alternate name and requesting certâŚAdded âtest.qzoneinc.comâ
Fired up a fresh browser session and pointed to ns8-ui , Chrome happily accepted the new cert (which includes the alternate name. However, mail clients (Mac and iPhone) still report the original expired cert. Maybe this is just a Mac thing after the Mail app update? Iâm so confused.
[edit] - Not a Mac thing, Android and Windows clients fail to sync, as well. I think we are down to NS Mail instance not receiving the cert, and donât know why the node cert shows as type=requested instead of automatic.
The label may sound strange, but Mail just adds its name to the certificate with type Requested. This allows to specify alternative names like imap.example.org.