On Thu, Oct 05, 2023 at 04:18:35PM -0400, Alex via Postfix-users wrote: > I think I'm having a problem with my certificate for submission not > being configured properly. I'm trying to install roundcube but having > a problem with properly configuring the cert for submission, but when > using openssl to check, it reports a cert problem. This is a cert from > Digicert.
Which, you've decided to obfuscate, for little gain. :-( Certificates are *public* data, anyone connecting to your server gets a copy as part of the TLS handshake... > openssl s_client -starttls smtp -connect mail.example.com:587 > CONNECTED(00000003) > depth=0 C = US, ST = Arizona, L = Example, O = Example Inc, CN = > mail.example.com > verify error:num=20:unable to get local issuer certificate verify return:1 > verify return:1 > > Certificate chain > 0 s:C = US, ST = Arizona, L = Example, O = Example Inc, CN = > mail.example.com > i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1 > a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 > v:NotBefore: Feb 14 00:00:00 2023 GMT; NotAfter: Jan 31 23:59:59 2024 GMT Your configured certificate chain has only the end-entity (EE) certificate, and is missing the intermediate issuer (CA) certificates needed to construct a full certificate chain. For this, you need at least also the "DigiCert TLS RSA SHA256 2020 CA1" certificate. https://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt.pem -----BEGIN CERTIFICATE----- MIIEvjCCA6agAwIBAgIQBtjZBNVYQ0b2ii+nVCJ+xDANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaME8xCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBS U0EgU0hBMjU2IDIwMjAgQ0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAwUuzZUdwvN1PWNvsnO3DZuUfMRNUrUpmRh8sCuxkB+Uu3Ny5CiDt3+PE0J6a qXodgojlEVbbHp9YwlHnLDQNLtKS4VbL8Xlfs7uHyiUDe5pSQWYQYE9XE0nw6Ddn g9/n00tnTCJRpt8OmRDtV1F0JuJ9x8piLhMbfyOIJVNvwTRYAIuE//i+p1hJInuW raKImxW8oHzf6VGo1bDtN+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6JWvHgXjkkDKa77SU+kFbnO8lwZV21r eacroicgE7XQPUDTITAHk+qZ9QIDAQABo4IBgjCCAX4wEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUt2ui6qiqhIx56rTaD5iyxZV2ufQwHwYDVR0jBBgwFoAU A95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggrBgEFBQcwAoY0aHR0cDovL2Nh Y2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNydDBCBgNV HR8EOzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRH bG9iYWxSb290Q0EuY3JsMD0GA1UdIAQ2MDQwCwYJYIZIAYb9bAIBMAcGBWeBDAEB MAgGBmeBDAECATAIBgZngQwBAgIwCAYGZ4EMAQIDMA0GCSqGSIb3DQEBCwUAA4IB AQCAMs5eC91uWg0Kr+HWhMvAjvqFcO3aXbMM9yt1QP6FCvrzMXi3cEsaiVi6gL3z ax3pfs8LulicWdSQ0/1s/dCYbbdxglvPbQtaCdB73sRD2Cqk3p5BJl+7j5nL3a7h qG+fh/50tx8bIKuxT8b1Z11dmzzp/2n3YWzW2fP9NsarA4h20ksudYbj/NhVfSbC EXffPgK2fPOre3qGNm+499iTcc+G33Mw+nur7SpZyEKEOxEXGlLzyQ4UfaJbcme6 ce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E A7sKPPcw7+uvTPyLNhBzPvOk -----END CERTIFICATE----- > Oct 5 15:49:21 cipher postfix/submission/smtpd[1509791]: TLS SNI > cipher.example.com from cipher.example.com[209.216.111.60] not matched, > using default chain The certificate appears to be for "mail.example.com" (needlessly obfuscated), but here you're reporting "cipher.example.com" (needlessly obfuscated). > Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: SSL_accept error > from cipher.example.com[209.216.111.60]: -1 > Oct 5 16:04:56 cipher postfix/submission/smtpd[1524779]: warning: > TLS library problem: error:0A000418: > SSL routines::tlsv1 alert unknown ca: > ssl/record/rec_layer_s3.c:1586: > SSL alert number 48: The SMTP client did not recognise the issuing CA (likely for the above stated reason). > I'm also using tls_server_sni_maps to support multiple domains. That's perhaps more advanced than you need. Do you really need multiple MX hostnames for your various domains. A common MX hostname is MUCH easier to manage, and does not then require SNI. > smtpd_tls_chain_files = > /var/www/mail.example.com-443/ssl/mail.example.com-2023.key, > /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt That certificate is still just the EE cert, sans issuer. > tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map > > /etc/postfix/vmail_ssl.map: > clients.example1.com /etc/letsencrypt/privkey.pem > /etc/letsencrypt/fullchain.cer > mail.example.com /var/www/mail.example.com-443/ssl/mail.example.com-2023.key > /var/www/mail.example.com-443/ssl/mail.example.com-2023.crt Still missing the issuer CA cert for the second entry. The first one has a complete chain. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
