[pfx] Re: Postfix Not Refreshing TLS Certs Even After Reboot

Tue, 13 May 2025 10:03:18 -0700 

On 2025-05-13 at 11:36:09 UTC-0400 (Wed, 14 May 2025 01:36:09 +1000)
Matthew J Black via Postfix-users <matt...@peregrineit.net>
is rumored to have said:


Cool - that's what I get
But what do you get with 'openssl s_client -starttls smtp -connect mail.peregrineit.net:587' - cause I get : 

depth=0 CN=peregrineit.net
verify error:num=10:certificate has expired
notAfter=Apr 10 07:36:42 2025 GMT


I see a bad certificate chain:


$ openssl s_client -starttls smtp -connect mail.peregrineit.net:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E6
verify return:1
depth=0 CN = peregrineit.net
verify error:num=10:certificate has expired
notAfter=Apr 10 07:36:42 2025 GMT
verify return:1
depth=0 CN = peregrineit.net
notAfter=Apr 10 07:36:42 2025 GMT
verify return:1
Review your smtpd_tls_*file settings. The simplest setup is to have the full chain in a single file referred to by smtpd_tls_cert_file and NO smtpd_tls_chain_file. Cert order is your server cert first, then the intermediate cert that issued it. Do not include any self-signed 'root' certificate.
If you also have an ECC cert, set it up the same way in smtpd_tls_eccert_file. 




On 14/5/25 01:20, Viktor Dukhovni via Postfix-users wrote:
On Tue, May 13, 2025 at 05:07:04PM +0200, Matus UHLAR - fantomas via Postfix-users wrote: 


any reverse proxy between you and server?
no multiple postfix instances used?

Let's not encourage further pointless waste of time.
The OP needs to post:

     $ postconf -nf
     $ postconf -Mf
and some evidence that outdated certificates are vended that differ from 
what's believed to be configured.  I see:
$ posttls-finger -cC "[mail.peregrineit.net]:587" | openssl x509 -noout -subject -dates 
     subject=CN=peregrineit.net
     notBefore=Apr  4 05:28:03 2025 GMT
     notAfter=Jul  3 05:28:02 2025 GMT
$ posttls-finger -cC "[mail.peregrineit.net]:25" | openssl x509 -noout -subject -dates 
     subject=CN=peregrineit.net
     notBefore=Apr  4 05:28:03 2025 GMT
     notAfter=Jul  3 05:28:02 2025 GMT




_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org



--
 Bill Cole
 b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses) 
 Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to