On Tue, Oct 11, 2022 at 09:57:02PM +0200, Luciano Mannucci wrote:
> I've seen this error in my maillog:
>
> Oct 11 21:49:02 baobab postfix/smtpd[21916]: connect from
> r164.europe-news.chanel.com[172.82.238.164]
> Oct 11 21:49:02 baobab postfix/smtpd[21916]: SSL_accept error from
> r164.europe-news.chanel.com[172.82.238.164]: -1
> Oct 11 21:49:02 baobab postfix/smtpd[21916]: warning: TLS library problem:
> error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
> expired:ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
The remote client believes that some certificate in your chain is
expired and sends a corresponding alert.
> Does it refer to my own certificate?
Yes, or perhaps transitively one of its issuers.
> I have successfull TLS connections, especially when originated from my
> own server (baobab.bilink.it).
$ posttls-finger -cC -lverify -Lsummary "[baobab.bilink.it]" |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text -noout |
grep -E '^ *(Subject:|Issuer:|Not [AB])'
Issuer: C=US, O=Let's Encrypt, CN=R3
Not Before: Sep 10 03:52:25 2022 GMT
Not After : Dec 9 03:52:24 2022 GMT
Subject: CN=baobab.bilink.it
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C=US, O=Let's Encrypt, CN=R3
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Note that your chain includes a "cross certificate" for ISRG Root X1,
issued by the expired "DST Root CA X3". This is for compatibility with
Android clients that no longer get updates of the root CA list, and as
it happens ignore the expiration time of root CAs.
Other clients may build a chain to "DST Root CA X3" (rather than
short-circuit to a local copy of "ISRG Root X1" rather than the cross
certificate), and then fail because the DST root in their trust store
is in fact expired.
> Do I have to worry?
If Android clients aren't a concern for your MTA, you should perhaps
configure your ACME client (e.g. certbot) to build a chain file without
the cross certificate. Details on the letsencrypt.org website:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
https://community.letsencrypt.org/t/production-chain-changes/150739
https://community.letsencrypt.org/t/certbot-1-6-0-release/127841
So at least once:
# certbot renew --preferred-chain "ISRG Root X1" --force-renew
and then ideally it will keep using it going forward. Haven't delved
into the details...
--
Viktor.
