On Thu, Oct 05, 2023 at 04:18:35PM -0400, Alex via Postfix-users wrote:
> I think I'm having a problem with my certificate for submission not
> being configured properly. I'm trying to install roundcube but having
> a problem with properly configuring the cert for submission, but when
> using openssl to check, it reports a cert problem. This is a cert from
> Digicert.
Which, you've decided to obfuscate, for little gain. :-( Certificates
are *public* data, anyone connecting to your server gets a copy as part
of the TLS handshake...
> openssl s_client -starttls smtp -connect mail.example.com:587
> CONNECTED(0003)
> depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN =
> mail.example.com
> verify error:num=20:unable to get local issuer certificate verify return:1
> verify return:1
>
> Certificate chain
> 0 s:C = US, ST = Arizona, L = Example, O = Example Inc, CN =
> mail.example.com
>i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
>a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
>v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Jan 31 23:59:59 2024 GMT
Your configured certificate chain has only the end-entity (EE)
certificate, and is missing the intermediate issuer (CA) certificates
needed to construct a full certificate chain. For this, you need
at least also the "DigiCert TLS RSA SHA256 2020 CA1" certificate.
https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem
-BEGIN CERTIFICATE-
MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS
U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a
qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn
g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW
raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r
eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB
/wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU
A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh
Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV
HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH
bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB
MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB
AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z
ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h
qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC
EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6
ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
A7sKPPcw7+uvTPyLNhBzPvOk
-END CERTIFICATE-
> Oct 5 15:49:21 cipher postfix/submission/smtpd[1509791]: TLS SNI
> cipher.example.com from cipher.example.com[209.216.111.60] not matched,
> using default chain
The certificate appears to be for "mail.example.com" (needlessly
obfuscated), but here you're reporting "cipher.example.com" (needlessly
obfuscated).
> Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: SSL_accept error
> from cipher.example.com[209.216.111.60]: -1
> Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: warning:
> TLS library problem: error:0A000418:
> SSL routines::tlsv1 alert unknown ca:
> ssl/record/rec_layer_s3.c:1586:
> SSL alert number 48:
The SMTP client did not recognise the issuing CA (likely for the above
stated reason).
> I'm also using tls_server_sni_maps to support multiple domains.
That's perhaps more advanced than you need. Do you really need multiple
MX hostnames for your various domains. A common MX hostname is MUCH
easier to manage, and does not then require SNI.
> smtpd_tls_chain_files =
> /var/www/mail.example.com-443/ssl/mail.example.com-2023.key,
> /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt
That certificate is still just the EE cert, sans issuer.
> tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
>
> /etc/postfix/vmail_ssl.map:
> clients.example1.com /etc/letsencrypt/privkey.pem
> /etc/letsencrypt/fullchain.cer
> mail.example.com /var/www/mail.example.com-443/ssl/mail.example.com-2023.key
> /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt
Still missing the issuer CA cert for the second entry.
The first one has a complete chain.
--
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
