On Thu, Jan 24, 2019 at 11:34:39PM -0700, phoenixsagar wrote:
> Issue : postfix is marking unexpired certificates as expired randomly for
> these certificate chains.
Postfix does not contain any code for verifying certificate expiration,
that's done by OpenSSL. OpenSSL has not history of the problem
you're reporting, and it would surely have been seen by now in many
other deployments, if OpenSSL contained flawed certificate expiration
checks.
Therefore, if OpenSSL (via Postfix) is reporting that a certificate
is expired, then either you have hardware glitches that cause the
system to report incorrect clock values, or the certificate is expired.
> Depth : As log suggest CA certificate verification failed then we can
> clearly say certificate in concern is second certificate.
No, we'd need to see the peer's chain to make that conclusion.
If you want to pursue this further, you'll need to instrument your
Postfix code to log detailed certificate metadata, and/or capture
and provide a PCAP file that demonstrably corresponds to a connection
for which OpenSSL (via Postfix) reported an expired certificate.
--
Viktor.
