Hi folks, opensmtpd problem on openbsd 6.1: smtpd.conf says
xname = "mail.example.de" pki $xname key "/etc/ssl/private/smtpd.key.pem" pki $xname certificate "/etc/ssl/public/mail.example.de.pem" ca $xname certificate "/etc/ssl/public/DigiCertCA.crt" limit mta inet4 listen on lo0 tls pki $xname ca $xname listen on internal tls pki $xname ca $xname listen on external tls pki $xname ca $xname : : If I try to verify starttls via openssl s_client from another host, then it complains Verification error: unable to verify the first certificate # ---------------------------------------------------------------- % openssl s_client -connect mail.example.de:25 -starttls smtp CONNECTED(00000003) depth=0 C = DE, ST = NRW, L = Kleinesdorfnahekoeln, O = example AG, CN = *.example.de verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = DE, ST = NRW, L = Kleinesdorfnahekoeln, O = example AG, CN = *.example.de verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=DE/ST=NRW/L=Kleinesdorfnahekoeln/O=example AG/CN=*.example.de i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFHDCCBASgAwIBAgIQCvjGPkV+KuTwCbtsU6MMVzANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E : ROBuAtmbmyGV7JgZibJHwMza1lhyerRndUCluQdrnwxwyxf9mkxq/e3MQ+g2A7YJ Er5U9dCsV8c/59ehxPis0A== -----END CERTIFICATE----- subject=/C=DE/ST=NRW/L=Kleinesdorfnahekoeln/O=example AG/CN=*.example.de issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2000 bytes and written 302 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 025B8C04418CA6...DC7441262A8 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1510221777 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no --- 250 HELP read:errno=0 # ---------------------------------------------------------------- Apparently the ca chain is not sent by opensmtpd. The "ca" on the listen lines is ignored. Is this a known problem? Is there a workaround? Hopefully you don't mind the question. This is a production host, i.e. I cannot upgrade to openbsd 6.2 and a new opensmtpd immediately. Every helpful comment is highly appreciated. Regards Harri