Root certificate in `/etc/ssl/certs` not found

Thu, 06 Jul 2017 11:28:32 -0700 

Dear Postfix users,
First I am sorry, for probably bringing up a topic, which has probably discussed to end on this list, like [1], and in the end was probably a user error. I’ll try to provide the information requested in [1]. Thank you for your patience and help in advance.
The goal is to set up secure server certificate verification [2] for messages sent to the domain gwdg.de [3]. But doing that, the test message was deferred as the certificate couldn’t be verified.
Debian 9 (Stretch/stable) with the package `postfix` has the version 3.1.4-7. 

```
$ sudo postconf mail_version
mail_version = 3.1.4
$ sudo postconf smtp_tls_CAfile
smtp_tls_CAfile =
$ sudo postconf smtp_tls_CAfilesmtp_tls_CApath
postconf: warning: smtp_tls_CAfilesmtp_tls_CApath: unknown parameter
$ sudo postconf smtp_tls_CApath
smtp_tls_CApath = /etc/ssl/certs/
```

Verify with `posttls-finger`.

```
$ sudo posttls-finger -t30 -T180 -c -L verbose,summary gwdg.de
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25 posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: depth=2 verify=0 subject=/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01 posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: depth=1 verify=1 subject=/C=DE/O=DFN-Verein/OU=Geschaeftsstelle/CN=DFN-Verein-GS-CA - G02 posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: depth=0 verify=1 subject=/C=DE/ST=Berlin/L=Berlin/O=DFN-Verein/OU=Geschaeftsstelle/CN=mfilter-123-3-1.mx.srv.dfn.de posttls-finger: certificate verification failed for mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: untrusted issuer /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: subject_CN=mfilter-123-3-1.mx.srv.dfn.de, issuer_CN=DFN-Verein-GS-CA - G02, fingerprint=F8:EC:1C:72:36:5B:40:E4:F0:B4:23:8C:9E:C5:E4:7B:C3:54:85:70, pkey_fingerprint=19:CA:96:64:83:C8:90:34:B6:15:31:EF:C0:8F:26:41:99:80:17:65 posttls-finger: Untrusted TLS connection established to mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) 
```
So judging from “untrusted issuer”, I assume the root certificate is missing. Use `openssl`. 

```
$ echo "" | openssl s_client -connect mfilter-123-3-1.mx.srv.dfn.de:25 -starttls smtp -showcerts 
[…]
CONNECTED(00000003)
depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2 
verify return:1
depth=2 C = DE, O = DFN-Verein, OU = DFN-PKI, CN = DFN-Verein PCA Global - G01 
verify return:1
depth=1 C = DE, O = DFN-Verein, OU = Geschaeftsstelle, CN = DFN-Verein-GS-CA - G02 
verify return:1
depth=0 C = DE, ST = Berlin, L = Berlin, O = DFN-Verein, OU = Geschaeftsstelle, CN = mfilter-123-3-1.mx.srv.dfn.de 
verify return:1[…]
    Verify return code: 0 (ok)
[…]
```
Save the certificate *C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01* in `issuer.pem` (attached), and verify it. 

```
$ openssl verify -CApath /etc/ssl/certs -purpose crlsign issuer.pem
issuer.pem: OK
```

The server certificate also contains the correct name, right?

```
CN=mfilter-123-3-1.mx.srv.dfn.de
```
So it’s not a problem with matching the server certificate peername [4], is it? 


Kind regards,

Paul
[1] http://postfix.1071664.n5.nabble.com/TLS-Encryption-and-Verification-issue-td72677.html 
    "TLS Encryption and Verification issue"
[2] http://www.postfix.org/TLS_README.html#client_tls_secure
[3] https://ssl-tools.net/mailservers/gwdg.de
[4] http://www.postfix.org/postconf.5.html#smtp_tls_verify_cert_match

 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom 
Root CA 2
-----BEGIN CERTIFICATE-----
MIIE1TCCA72gAwIBAgIIUE7G9T0RtGQwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UE
BhMCREUxHDAaBgNVBAoTE0RldXRzY2hlIFRlbGVrb20gQUcxHzAdBgNVBAsTFlQt
VGVsZVNlYyBUcnVzdCBDZW50ZXIxIzAhBgNVBAMTGkRldXRzY2hlIFRlbGVrb20g
Um9vdCBDQSAyMB4XDTE0MDcyMjEyMDgyNloXDTE5MDcwOTIzNTkwMFowWjELMAkG
A1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kx
JDAiBgNVBAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAOmbw2eF+Q2u9Y1Uw5ZQNT1i6W5M7ZTXAFuV
InTUIOs0j9bswDEEC5mB4qYU0lKgKCOEi3SJBF5b4OJ4wXjLFssoNTl7LZBF0O2g
AHp8v0oOGwDDhulcKzERewzzgiRDjBw4i2poAJru3E94q9LGE5t2re7eJujvAa90
D8EJovZrzr3TzRQwT/Xl46TIYpuCGgMnMA0CZWBN7dEJIyqWNVgn03bGcbaQHcTt
/zWGfW8zs9sPxRHCioOhlF1Ba9jSEPVM/cpRrNm975KDu9rrixZWVkPP4dUTPaYf
JzDNSVTbyRM0mnF1xWzqpwuY+SGdJ68+ozk5SGqMrcmZ+8MS8r0CAwEAAaOCAYYw
ggGCMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUSbfGz+g9H3/qRHsTKffxCnA+
3mQwHwYDVR0jBBgwFoAUMcN5G7r1U9cX4Il6LRdsCrMrnTMwEgYDVR0TAQH/BAgw
BgEB/wIBAjBiBgNVHSAEWzBZMBEGDysGAQQBga0hgiwBAQQCAjARBg8rBgEEAYGt
IYIsAQEEAwAwEQYPKwYBBAGBrSGCLAEBBAMBMA8GDSsGAQQBga0hgiwBAQQwDQYL
KwYBBAGBrSGCLB4wPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL3BraTAzMzYudGVs
ZXNlYy5kZS9ybC9EVF9ST09UX0NBXzIuY3JsMHgGCCsGAQUFBwEBBGwwajAsBggr
BgEFBQcwAYYgaHR0cDovL29jc3AwMzM2LnRlbGVzZWMuZGUvb2NzcHIwOgYIKwYB
BQUHMAKGLmh0dHA6Ly9wa2kwMzM2LnRlbGVzZWMuZGUvY3J0L0RUX1JPT1RfQ0Ff
Mi5jZXIwDQYJKoZIhvcNAQELBQADggEBAGMgKP2cIYZyvjlGWTkyJbypAZsNzMp9
QZyGbQpuLLMTWXWxM5IbYScW/8Oy1TWC+4QqAUm9ZrtmL7LCBl1uP27jAVpbykNj
XJW24TGnH9UHX03mZYJOMvnDfHpLzU1cdO4h8nUC7FI+0slq05AjbklnNb5/TVak
7Mwvz7ehl6hyPsm8QNZapAg91ryCw7e3Mo6xLI5qbbc1AhnP9TlEWGOnJAAQsLv8
Tq9uLzi7pVdJP9huUG8sl5bcHUaaZYnPrszy5dmfU7M+oS+SqdgLxoQfBMbrHuif
fbV7pQLxJMUkYxE0zFqTICp5iDolQpCpZTt8htMSFSMp/CzazDlbVBc=
-----END CERTIFICATE-----

Reply via email to