Thanks for the tips :)
I'm running the following command which shows the content of the
expired certificate butI'm getting crazy finding the certificate even
when I have the content of it. For sure it's not in /etc, I've checked
with egrep -Ri MIIIpTCCB42gAwIBAgISBNq8AcDQ9eonDq3bUFDfFOmYMA0GCSqGSIb3DQEBCwUA
/etc/
openssl s_client -starttls smtp -showcerts -connect
we.webeloping.es:587 -servername we.webeloping.es
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = webeloping.es
verify error:num=10:certificate has expired
notAfter=Jan 2 21:47:07 2021 GMT
verify return:1
depth=0 CN = webeloping.es
notAfter=Jan 2 21:47:07 2021 GMT
verify return:1
---
Certificate chain
0 s:CN = webeloping.es
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIIpTCCB42gAwIBAgISBNq8AcDQ9eonDq3bUFDfFOmYMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDQyMTQ3MDdaFw0y
MTAxMDIyMTQ3MDdaMBgxFjAUBgNVBAMTDXdlYmVsb3BpbmcuZXMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB0HMHiLjY5t6Tpr4gdwZ36wccwoIDV4f3
q6J3n7k8w6bzLetYb7NO6wYwrnHJiqvtiTQebdb+P5H20KvnlPsSBKNTxvbF3JHm
vBDYSG+EvuGW5jmcWRFfchboNuRVD2q4vIUHTDVBiX59WvVbOYzz9iMi786iW6+R
Q77M5EC7k3lcLnvSACUMcMNgFsymmA041MLjJpGL6MQo6tTDgJyJEnM4dlFa9O/a
fmuP4qe3DKUbcPFMQzpbfY7XBupLbNKeEO1J25jhq92sVdE4os1hhUWKDYh5X1of
2xHNk0S4z+mHMShGvXNMHG/Ev0myzyHPfT20OYxcTXJ7rzSZ7fh1AgMBAAGjggW1
MIIFsTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJEGMy7c95BkgFKM0XzJNHAsbgcr
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wggNoBgNVHREEggNfMIIDW4IWYm9iYnl3cC53ZWJlbG9waW5nLmNvbYIVYm9i
Ynl3cC53ZWJlbG9waW5nLmVzghRjbG91ZC53ZWJlbG9waW5nLmNvbYITY2xvdWQu
d2ViZWxvcGluZy5lc4ITZGVtby53ZWJlbG9waW5nLmNvbYISZGVtby53ZWJlbG9w
aW5nLmVzghRkcml2ZS53ZWJlbG9waW5nLmNvbYITZHJpdmUud2ViZWxvcGluZy5l
c4ITaW1hcC53ZWJlbG9waW5nLmNvbYISaW1hcC53ZWJlbG9waW5nLmVzghBtLndl
YmVsb3BpbmcuY29tgg9tLndlYmVsb3BpbmcuZXOCEW0yLndlYmVsb3BpbmcuY29t
ghBtMi53ZWJlbG9waW5nLmVzghNtYWlsLndlYmVsb3BpbmcuY29tghJtYWlsLndl
YmVsb3BpbmcuZXOCF21haWxwaWxlLndlYmVsb3BpbmcuY29tghZtYWlscGlsZS53
ZWJlbG9waW5nLmVzghJua2sud2ViZWxvcGluZy5jb22CEW5ray53ZWJlbG9waW5n
LmVzghFvYy53ZWJlbG9waW5nLmNvbYIQb2Mud2ViZWxvcGluZy5lc4IScG9wLndl
YmVsb3BpbmcuY29tghFwb3Aud2ViZWxvcGluZy5lc4ITcG9wMy53ZWJlbG9waW5n
LmNvbYIScG9wMy53ZWJlbG9waW5nLmVzghdwcm9qZWN0cy53ZWJlbG9waW5nLmNv
bYIWcHJvamVjdHMud2ViZWxvcGluZy5lc4ITc210cC53ZWJlbG9waW5nLmNvbYIS
c210cC53ZWJlbG9waW5nLmVzghN0ZXN0LndlYmVsb3BpbmcuY29tghJ0ZXN0Lndl
YmVsb3BpbmcuZXOCE3Vjb2Iud2ViZWxvcGluZy5jb22CEnVjb2Iud2ViZWxvcGlu
Zy5lc4IRd2Uud2ViZWxvcGluZy5jb22CEHdlLndlYmVsb3BpbmcuZXOCDndlYmVs
b3BpbmcuY29tgg13ZWJlbG9waW5nLmVzghZ3ZWJtYWlsLndlYmVsb3BpbmcuY29t
ghV3ZWJtYWlsLndlYmVsb3BpbmcuZXOCEnd3dy53ZWJlbG9waW5nLmNvbYIRd3d3
LndlYmVsb3BpbmcuZXMwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEF
BgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h
204vWE2iwgAAAXT1zBg2AAAEAwBIMEYCIQCB/KqbgxT12uOWAYWXn7jV2+Qr0KHA
KZmw3GA+T8rQkQIhAPbOpzgxZoebW4tStxm24/BXRzJ3QaWd17Ly5a/y6qk6AHYA
9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF09cwaHQAABAMARzBF
AiEA5v7xblm1H9m6GxpNTubQu4lu7kAATcKbyOXu2pHiE7sCIAwgoDxsBgoHwkK0
+3cL+02mCuu2k/VPXiX51mXxtipSMA0GCSqGSIb3DQEBCwUAA4IBAQB4qbtcV9KE
Dznsn6jrtkwoMy71X77Oh3/f+mScC11B0wbzmO9WKpQ05u0sEjd4FQsc2jYaTjKQ
7vNvtOwBEdjeizs+/HU1+eijqtcqORHcECQORQBcYkuN0sPpsElWbguymeph9Xp0
9fLWFwOPPG+QbVcqwePFZw9OZ/HoGiM63SKpDgiJoVeNHNgmNzz4y1jEpuCiLw4M
Jr6ZC4Z022SaLWtwmC0nlHH9gluIcU7cus0f3cLs9VF8BUgogz0h/eQbewuNY2t6
2mx/NK/U/dC1v5rylpcKB/2cPNY/WRQ7ot3JJxSst8fvr0EYW11DUWFLGaHXH8tv
1FhkaFerj9mD
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = webeloping.es
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4165 bytes and written 428 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: D3BC53BE05BBC3F13FB4D103E67376852150BB14208E91A07A6FC4ACA3713AA9
Session-ID-ctx:
Resumption PSK:
F44983AC9CE6BC47A8FC49E1239CC9F84AEDC85E4B9A5583954EC3AEC207716366B615F5D060F1A3FF5501B7F290BE51
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 1d a3 6c 8f c4 0b 29 2a-04 de 32 c1 6d e5 ac d0 ..l...)*..2.m...
0010 - 95 cb 32 34 02 12 2e 7a-f9 4f 2f 96 df ec 11 b3 ..24...z.O/.....
0020 - bd d7 13 54 98 b5 2e bd-34 37 e6 cc aa 1f 4e e7 ...T....47....N.
0030 - 3d 49 47 79 81 f4 f3 b1-08 64 bb 4e 21 aa a4 e3 =IGy.....d.N!...
0040 - e4 83 f6 39 c9 47 50 61-9f ed ca b5 87 0d fa af ...9.GPa........
0050 - 91 75 a5 30 99 f1 9c 38-ad 07 b5 ee a6 06 e8 fa .u.0...8........
0060 - 40 50 8c e6 64 9f c7 5c-01 82 dc 58 ae 4f 09 68 @P..d..\...X.O.h
0070 - ac 3a f3 a4 c1 94 35 d7-6b 5f 62 51 8a 82 c1 c3 .:....5.k_bQ....
0080 - 7b d4 ec 1c e8 07 cb 32-2a 48 4a 63 99 ed 46 94 {......2*HJc..F.
0090 - 14 8f 69 19 73 bd a8 21-1a 84 8f 5f 08 57 9d 14 ..i.s..!..._.W..
00a0 - 6b 8e 63 78 e7 20 41 82-fd 56 f9 06 bf ca 42 e7 k.cx. A..V....B.
00b0 - e5 ac 9a ea 35 42 a9 f5-32 d4 28 df 17 5a df 19 ....5B..2.(..Z..
00c0 - 08 b2 a6 72 1f 84 4d 4d-d8 88 75 68 0b cc 46 b3 ...r..MM..uh..F.
00d0 - e7 fe 89 64 e5 c7 9f 1e-cb 93 cb 6d 31 b6 6d b1 ...d.......m1.m.
Start Time: 1611269792
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
On Thu, Jan 21, 2021 at 11:44 PM Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
>
> On Thu, Jan 21, 2021 at 11:19:13PM +0100, Pau Peris wrote:
>
> > Does someone know how I can make postfix show the absolute path for the
> > TLS certificate used?
>
> There is no such feature. But if you're not using SNI, the certificate
> chain is the same for all clients, and you can just connect to your
> server and see the dates on the returned chain with:
>
> $ posttls-finger -lsecure -cC "[smtp.server.example]" |
> openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
> openssl pkcs7 -print_certs -text -noout |
> egrep -A4 'Issuer:'
>
> If you are using SNI, you can repeat the above for each supported
> SNI name:
>
> $ posttls-finger -s "smtp.server2.example" ...
>
> Or, if you know which SNI name this particular client was likely
> using, just use the same one.
>
> > Postfix config file seems fine but obviously there's some kind of
> > mistake on my side, so I would like to make the following error more
> > verbose or be able to find the certificate in use.
> >
> > postfix/smtpd[3733]: warning: TLS library problem: error:14094415:SSL
> > routines:ssl3_read_bytes:sslv3 alert certificate
> > expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
>
> It is also possible that the expired certificate is on the client
> side in its own trust store.
>
> --
> Viktor.
--
Pau
