[pfx] SSL cert authority, letsencrypt error

Thu, 08 May 2025 15:35:12 -0700 


Hi,


I've been running postscript on a FreeBSD 13.x server with Letsencrypt 
running as a cron job to keep SSL certs up to date automagically :



in main.cf :


smtpd_tls_security_level = may

smtpd_tls_cert_file = 
/usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/cert.pem
smtpd_tls_key_file = 
/usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/privkey.pem


As best I can tell, this has worked for a number of years without issue.

I've noticed this error of late :


May  9 08:15:44 rollcage13 postfix/smtpd[88039]: warning: TLS library 
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad 
certificate:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL 
alert number 42:



And some mail isn't making it through - I guess it's possible that the 
above config never worked and I didn't notice, but I suspect this is a 
new thing.




When I check the SSL config using the ssl-tools.net checks, I'm seeing 
"Unknown Authority" as the error, but also seeing a cert that looks ok :


From : https://ssl-tools.net/mailservers/rollcage13.aboc.net.au

Certificates
First seen at: a day ago
CN=rollcage13.aboc.net.au
Certificate chain

    rollcage13.aboc.net.au
        40 days remaining
        2048 bit
        sha256WithRSAEncryption
        Unknown Authority
        R10

Subject
Common Name (CN)

        rollcage13.aboc.net.au

Alternative Names

        rollcage13.aboc.net.au


Apart from the "Unknown Authority" it looks fine.


Permissions in the cert directory are all ok, or at least, all the same, 
so if it can read one bit it can read them all :


rollcage13:/usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au # ls -la
total 16
drwxr-xr-x  2 root  wheel        7 Mar 18 05:08 .
drwxr-s---  3 root  readcirts    4 Sep 19  2021 ..
-rw-r--r--  1 root  wheel      692 Sep 19  2021 README

lrwxr-xr-x  1 root  wheel       47 Mar 18 05:08 cert.pem -> 
../../archive/rollcage13.aboc.net.au/cert23.pem
lrwxr-xr-x  1 root  wheel       48 Mar 18 05:08 chain.pem -> 
../../archive/rollcage13.aboc.net.au/chain23.pem
lrwxr-xr-x  1 root  wheel       52 Mar 18 05:08 fullchain.pem -> 
../../archive/rollcage13.aboc.net.au/fullchain23.pem
lrwxr-xr-x  1 root  wheel       50 Mar 18 05:08 privkey.pem -> 
../../archive/rollcage13.aboc.net.au/privkey23.pem





any suggestions, I'm no wizz when it comes to SSL setups, and am pretty 
rusty here.





_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org






















					Reply via email to