There’s only one certificate in your chain, you need to send the intermediate cert as well.
The cert you’re signing with isn’t trusted by browsers. Certificate chain 0 s:CN = rollcage13.aboc.net.au i:C = US, O = Let's Encrypt, CN = R10 Arguably, this is even worse than being self-signed. Compared with my sendmail (stop laughing) server: Certificate chain 0 s:CN = prime.gushi.org i:C = US, O = Let's Encrypt, CN = E5 1 s:C = US, O = Let's Encrypt, CN = E5 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 I believe if you just point postfix at your cert chain, it will do the right thing as long as the certs are in the correct order. -Dan > On May 8, 2025, at 15:34, Carl Brewer via Postfix-users > <postfix-users@postfix.org> wrote: > > > Hi, > > I've been running postscript on a FreeBSD 13.x server with Letsencrypt > running as a cron job to keep SSL certs up to date automagically : > > > in main.cf : > > > smtpd_tls_security_level = may > smtpd_tls_cert_file = > /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/cert.pem > smtpd_tls_key_file = > /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/privkey.pem > > As best I can tell, this has worked for a number of years without issue. > > I've noticed this error of late : > > May 9 08:15:44 rollcage13 postfix/smtpd[88039]: warning: TLS library > problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad > certificate:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert > number 42: > > And some mail isn't making it through - I guess it's possible that the above > config never worked and I didn't notice, but I suspect this is a new thing. > > > When I check the SSL config using the ssl-tools.net checks, I'm seeing > "Unknown Authority" as the error, but also seeing a cert that looks ok : > > From : https://ssl-tools.net/mailservers/rollcage13.aboc.net.au > > Certificates > First seen at: a day ago > CN=rollcage13.aboc.net.au > Certificate chain > > rollcage13.aboc.net.au > 40 days remaining > 2048 bit > sha256WithRSAEncryption > Unknown Authority > R10 > > Subject > Common Name (CN) > > rollcage13.aboc.net.au > > Alternative Names > > rollcage13.aboc.net.au > > > Apart from the "Unknown Authority" it looks fine. > > Permissions in the cert directory are all ok, or at least, all the same, so > if it can read one bit it can read them all : > > rollcage13:/usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au # ls -la > total 16 > drwxr-xr-x 2 root wheel 7 Mar 18 05:08 . > drwxr-s--- 3 root readcirts 4 Sep 19 2021 .. > -rw-r--r-- 1 root wheel 692 Sep 19 2021 README > lrwxr-xr-x 1 root wheel 47 Mar 18 05:08 cert.pem -> > ../../archive/rollcage13.aboc.net.au/cert23.pem > lrwxr-xr-x 1 root wheel 48 Mar 18 05:08 chain.pem -> > ../../archive/rollcage13.aboc.net.au/chain23.pem > lrwxr-xr-x 1 root wheel 52 Mar 18 05:08 fullchain.pem -> > ../../archive/rollcage13.aboc.net.au/fullchain23.pem > lrwxr-xr-x 1 root wheel 50 Mar 18 05:08 privkey.pem -> > ../../archive/rollcage13.aboc.net.au/privkey23.pem > > > > any suggestions, I'm no wizz when it comes to SSL setups, and am pretty rusty > here. > > > > > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
