Re: t/s expired cert error

[Yassine Chaouche]

Looks fine from my side, both on pop3s
------------------------------------------------------------------------
ychaouche#ychaouche-PC 13:58:25 ~ $ openssl s_client -connect 
103.106.168.105:*995* -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = emu.sbt.net.au
verify return:1
---
Certificate chain
 0 s:/CN=emu.sbt.net.au
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=emu.sbt.net.au
issuer=/C=US/O=Let's Encrypt/CN=R3
---
[...]
    Start Time: 1614694135
    Timeout   : 300 (sec)
*Verify return code: 0 (ok)*
---
+OK Dovecot ready.
^C
ychaouche#ychaouche-PC 15:09:01 ~ $

------------------------------------------------------------------------

and on pop3 with starttls

------------------------------------------------------------------------


ychaouche#ychaouche-PC 15:14:28 ~ $ openssl s_client*-starttls pop3* 
-connect 103.106.168.105*:pop3* -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = emu.sbt.net.au
verify return:1
---
Certificate chain
 0 s:/CN=emu.sbt.net.au
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=emu.sbt.net.au
issuer=/C=US/O=Let's Encrypt/CN=R3
---
[...]
    Start Time: 1614694499
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Dovecot ready.
^C
ychaouche#ychaouche-PC 15:15:04 ~ $

------------------------------------------------------------------------




Le 3/2/21 à 1:41 PM, Erwan David a écrit :
Le 02/03/2021 à 13:29, Voytek Eymont a écrit :
since a couple of days one of users reported getting expired certificate
error in TB, looking at the log, I can see like:

Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0
secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS: SSL_read
failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate expired: SSL alert number 45, session=<...>

Here it is the certificate presented on the pop3 port (either port 110
with a STLS command or port 995)


but, looking at server with
https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as does
certbot tool

Here it seems te site tests the smtp server (on port 25), which is not
handled by dovecot. You probably have different certificates on both.