Mail server SMTP SSL certificate verify failed

I cant connect SMTP I get message below

certificate Error messages: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

I have tried issue new SSL for mailserver and mail domains, restart postfix.
I can send and receive thru snappy mail. Test with mail-tester.com dont show any problems either.

Below log from mail.

Sep 22 09:47:38 sgserver1 postfix/submission/smtpd[772857]: connect from mail.website.com[66.22.88.99]
Sep 22 09:47:38 sgserver1 postfix/submission/smtpd[772857]: SSL_accept error from mail.website.com[66.22.88.99]: -1
Sep 22 09:47:38 sgserver1 postfix/submission/smtpd[772857]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
Sep 22 09:47:38 sgserver1 postfix/submission/smtpd[772857]: lost connection after STARTTLS from mail.website.com[66.22.88.99]
Sep 22 09:47:38 sgserver1 postfix/submission/smtpd[772857]: disconnect from mail.website.com[66.22.88.99] ehlo=1 starttls=0/1 commands=1/2

Anyone know how fix this issue?

Can you show the checktls results?

seconds lookup result
[000.000] DNS LOOKUPS
[000.001] SEARCHLIST 104.131.108.216,134.209.169.224,1.1.1.1,8.8.8.8,67.207.67.3
[000.022] MX (10) mail.website.com
[000.032] MX:A–>mail.website.com 66.66.66.66
seconds test stage and result

[000.000] Trying TLS on mail.website.com[66.66.66.66:25] (10)
[000.226] Server answered
[001.142] < 220 mail.website.com ESMTP Postfix
[001.143] We are allowed to connect
[001.143] > EHLO www12-azure.checktls.com
[001.368] < 250-mail.website.com
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
[001.369] We can use this server
[001.369] TLS is an option on this server
[001.369] > STARTTLS
[001.595] < 220 2.0.0 Ready to start TLS
[001.595] STARTTLS command works on this server
[002.100] Connection converted to SSL
SSLVersion in use: TLSv1_3
Cipher in use: TLS_AES_256_GCM_SHA384
Perfect Forward Secrecy: yes
Session Algorithm in use: Curve X25519 DHE(253 bits)
Certificate #1 of 4 (sent by MX): EXPIRED
Cert VALIDATION ERROR(S): certificate has expired
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED (mail.website.com = mail.website.com | DNS:mail.website.com | DNS:www.mail.website.com)
Not Valid Before: Jun 22 02:26:29 2022 GMT
Not Valid After: Sep 20 02:26:28 2022 GMT
subject: /CN=mail.website.com
issuer: /C=US/O=Let’s Encrypt/CN=R3
Certificate #2 of 4 (sent by MX):
Cert VALIDATED: ok
Not Valid Before: Sep 4 00:00:00 2020 GMT
Not Valid After: Sep 15 16:00:00 2025 GMT
subject: /C=US/O=Let’s Encrypt/CN=R3
issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate #3 of 4 (added from CA Root Store):
Cert VALIDATED: ok
Not Valid Before: Jun 4 11:04:38 2015 GMT
Not Valid After: Jun 4 11:04:38 2035 GMT
subject: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate #4 of 4 (sent by MX):
Cert VALIDATED:
Not Valid Before: Jan 20 19:14:03 2021 GMT
Not Valid After: Sep 30 18:14:03 2024 GMT
subject: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer: /O=Digital Signature Trust Co./CN=DST Root CA X3
[002.217] > EHLO www12-azure.checktls.com
[002.551] < 250-mail.website.com
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
[002.551] TLS successfully started on this server
[002.551] > MAIL FROM:test@checktls.com
[002.778] < 250 2.1.0 Ok
[002.778] Sender is OK
[002.779] > QUIT
[003.005] < 221 2.0.0 Bye

I also suddenly got this, on a production server that was working without problems for about the alst year. Did you solve the problem? I cant manage to figure this out.

All cert and key files inside postfix and dovecot are newly generated by Lets’s Encrypt, no clue what this the problem with this.

I had to buy email debugger to solve issue.

I opened bug report on GitHub and dev asked to access my server to look issue. I had already bought debugger and solve problem, so they never got onto it.