Hi, thanks a lot for the answers.
The system has been running fine for years since some months ago I
implemented SNI and created a new certificate for webeloping.es and
let the old one expire. Obviously i updated Postfix config files
accordingly but it looks like i made some mistake.
The problem is I'm not able to find the expired certificate Postfix is
using. My guess is the expired certificate does not exists in the file
system, I don't know if Postfix may have it stored in some kind of
cache.
BTW, certificates are renewed by a crontab script which has been
running fine for quite some years. The problem is an expired
certificate remains in some Postfix config file or in some cache. I
wanted to find the expired certificate by its contents so once i knew
the path I would tried to find which config file has the path text in
it.
That's the config I used before SNI:
#smtpd_tls_cert_file = /etc/letsencrypt/live/webeloping.es/fullchain.pem
#smtpd_tls_key_file = /etc/letsencrypt/live/webeloping.es/privkey.pem
#smtp_tls_cert_file = $smtpd_tls_cert_file
#smtp_tls_key_file = $smtpd_tls_key_file
That's the one I use now:
smtpd_tls_chain_files =
/etc/letsencrypt/live/webeloping.es/privkey.pem,
/etc/letsencrypt/live/webeloping.es/fullchain.pem
smtp_tls_chain_files = $smtpd_tls_chain_files
tls_server_sni_maps = hash:/etc/postfix/tls_server_sni_maps.map
smtpd_tls_CAfile = /etc/letsencrypt/live/webeloping.es/chain.pem
smtp_tls_CAfile = $smtpd_tls_CAfile
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_CApath = $smtpd_tls_CApath
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
cat /etc/postfix/tls_server_sni_maps.map
webeloping.es
/etc/letsencrypt/live/webeloping.es/privkey.pem
/etc/letsencrypt/live/webeloping.es/fullchain.pem
we.webeloping.es
/etc/letsencrypt/live/webeloping.es/privkey.pem
/etc/letsencrypt/live/webeloping.es/fullchain.pem
mail.webeloping.es
/etc/letsencrypt/live/webeloping.es/privkey.pem
/etc/letsencrypt/live/webeloping.es/fullchain.pem
smtp.webeloping.es
/etc/letsencrypt/live/webeloping.es/privkey.pem
/etc/letsencrypt/live/webeloping.es/fullchain.pem
On Fri, Jan 22, 2021 at 12:15 AM Theodore Knab <t...@annapolislinux.org> wrote:
>
> Hey,
>
> I think let's encrypt SSL certificates expire every three to four months by
> default.
>
> I recently started using Let's Encrypt's certbot for Postfix TLS.
>
>
> Your's appears to have expired on Jan 2, 2021.
> > verify error:num=10:certificate has expired
> > notAfter=Jan 2 21:47:07 2021 GMT
> > verify return:1
> > depth=0 CN = webeloping.es
> > notAfter=Jan 2 21:47:07 2021 GMT
> > verify return:1
>
> You probably just need to run a renewal.
> This should be setup as a cronjob.
>
> Like this:
> https://techmonger.github.io/49/certbot-auto-renew/
>
> Here is the official documenation on certbot if you need it.
> https://certbot.eff.org/docs/
>
> Hope this points you in the right direction.
>
> Cheers.
>
> Theodore Knab
> Annapolis Linux Users Group
>
>
>
>
> On 22/01/21 00:00 +0100, Pau Peris wrote:
> > Thanks for the tips :)
> >
> > I'm running the following command which shows the content of the
> > expired certificate butI'm getting crazy finding the certificate even
> > when I have the content of it. For sure it's not in /etc, I've checked
> > with egrep -Ri
> > MIIIpTCCB42gAwIBAgISBNq8AcDQ9eonDq3bUFDfFOmYMA0GCSqGSIb3DQEBCwUA
> > /etc/
> >
> > openssl s_client -starttls smtp -showcerts -connect
> > we.webeloping.es:587 -servername we.webeloping.es
> > CONNECTED(00000003)
> > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> > verify return:1
> > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> > verify return:1
> > depth=0 CN = webeloping.es
> > verify error:num=10:certificate has expired
> > notAfter=Jan 2 21:47:07 2021 GMT
> > verify return:1
> > depth=0 CN = webeloping.es
> > notAfter=Jan 2 21:47:07 2021 GMT
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:CN = webeloping.es
> > i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> > -----BEGIN CERTIFICATE-----
> > MIIIpTCCB42gAwIBAgISBNq8AcDQ9eonDq3bUFDfFOmYMA0GCSqGSIb3DQEBCwUA
> > MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
> > ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDQyMTQ3MDdaFw0y
> > MTAxMDIyMTQ3MDdaMBgxFjAUBgNVBAMTDXdlYmVsb3BpbmcuZXMwggEiMA0GCSqG
> > SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB0HMHiLjY5t6Tpr4gdwZ36wccwoIDV4f3
> > q6J3n7k8w6bzLetYb7NO6wYwrnHJiqvtiTQebdb+P5H20KvnlPsSBKNTxvbF3JHm
> > vBDYSG+EvuGW5jmcWRFfchboNuRVD2q4vIUHTDVBiX59WvVbOYzz9iMi786iW6+R
> > Q77M5EC7k3lcLnvSACUMcMNgFsymmA041MLjJpGL6MQo6tTDgJyJEnM4dlFa9O/a
> > fmuP4qe3DKUbcPFMQzpbfY7XBupLbNKeEO1J25jhq92sVdE4os1hhUWKDYh5X1of
> > 2xHNk0S4z+mHMShGvXNMHG/Ev0myzyHPfT20OYxcTXJ7rzSZ7fh1AgMBAAGjggW1
> > MIIFsTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
> > BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJEGMy7c95BkgFKM0XzJNHAsbgcr
> > MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
> > YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
> > ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
> > Zy8wggNoBgNVHREEggNfMIIDW4IWYm9iYnl3cC53ZWJlbG9waW5nLmNvbYIVYm9i
> > Ynl3cC53ZWJlbG9waW5nLmVzghRjbG91ZC53ZWJlbG9waW5nLmNvbYITY2xvdWQu
> > d2ViZWxvcGluZy5lc4ITZGVtby53ZWJlbG9waW5nLmNvbYISZGVtby53ZWJlbG9w
> > aW5nLmVzghRkcml2ZS53ZWJlbG9waW5nLmNvbYITZHJpdmUud2ViZWxvcGluZy5l
> > c4ITaW1hcC53ZWJlbG9waW5nLmNvbYISaW1hcC53ZWJlbG9waW5nLmVzghBtLndl
> > YmVsb3BpbmcuY29tgg9tLndlYmVsb3BpbmcuZXOCEW0yLndlYmVsb3BpbmcuY29t
> > ghBtMi53ZWJlbG9waW5nLmVzghNtYWlsLndlYmVsb3BpbmcuY29tghJtYWlsLndl
> > YmVsb3BpbmcuZXOCF21haWxwaWxlLndlYmVsb3BpbmcuY29tghZtYWlscGlsZS53
> > ZWJlbG9waW5nLmVzghJua2sud2ViZWxvcGluZy5jb22CEW5ray53ZWJlbG9waW5n
> > LmVzghFvYy53ZWJlbG9waW5nLmNvbYIQb2Mud2ViZWxvcGluZy5lc4IScG9wLndl
> > YmVsb3BpbmcuY29tghFwb3Aud2ViZWxvcGluZy5lc4ITcG9wMy53ZWJlbG9waW5n
> > LmNvbYIScG9wMy53ZWJlbG9waW5nLmVzghdwcm9qZWN0cy53ZWJlbG9waW5nLmNv
> > bYIWcHJvamVjdHMud2ViZWxvcGluZy5lc4ITc210cC53ZWJlbG9waW5nLmNvbYIS
> > c210cC53ZWJlbG9waW5nLmVzghN0ZXN0LndlYmVsb3BpbmcuY29tghJ0ZXN0Lndl
> > YmVsb3BpbmcuZXOCE3Vjb2Iud2ViZWxvcGluZy5jb22CEnVjb2Iud2ViZWxvcGlu
> > Zy5lc4IRd2Uud2ViZWxvcGluZy5jb22CEHdlLndlYmVsb3BpbmcuZXOCDndlYmVs
> > b3BpbmcuY29tgg13ZWJlbG9waW5nLmVzghZ3ZWJtYWlsLndlYmVsb3BpbmcuY29t
> > ghV3ZWJtYWlsLndlYmVsb3BpbmcuZXOCEnd3dy53ZWJlbG9waW5nLmNvbYIRd3d3
> > LndlYmVsb3BpbmcuZXMwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
> > AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEF
> > BgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h
> > 204vWE2iwgAAAXT1zBg2AAAEAwBIMEYCIQCB/KqbgxT12uOWAYWXn7jV2+Qr0KHA
> > KZmw3GA+T8rQkQIhAPbOpzgxZoebW4tStxm24/BXRzJ3QaWd17Ly5a/y6qk6AHYA
> > 9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF09cwaHQAABAMARzBF
> > AiEA5v7xblm1H9m6GxpNTubQu4lu7kAATcKbyOXu2pHiE7sCIAwgoDxsBgoHwkK0
> > +3cL+02mCuu2k/VPXiX51mXxtipSMA0GCSqGSIb3DQEBCwUAA4IBAQB4qbtcV9KE
> > Dznsn6jrtkwoMy71X77Oh3/f+mScC11B0wbzmO9WKpQ05u0sEjd4FQsc2jYaTjKQ
> > 7vNvtOwBEdjeizs+/HU1+eijqtcqORHcECQORQBcYkuN0sPpsElWbguymeph9Xp0
> > 9fLWFwOPPG+QbVcqwePFZw9OZ/HoGiM63SKpDgiJoVeNHNgmNzz4y1jEpuCiLw4M
> > Jr6ZC4Z022SaLWtwmC0nlHH9gluIcU7cus0f3cLs9VF8BUgogz0h/eQbewuNY2t6
> > 2mx/NK/U/dC1v5rylpcKB/2cPNY/WRQ7ot3JJxSst8fvr0EYW11DUWFLGaHXH8tv
> > 1FhkaFerj9mD
> > -----END CERTIFICATE-----
> > 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> > i:O = Digital Signature Trust Co., CN = DST Root CA X3
> > -----BEGIN CERTIFICATE-----
> > MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
> > MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
> > DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
> > SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
> > GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
> > AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
> > q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
> > SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
> > Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
> > a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
> > /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
> > AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
> > CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
> > bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
> > c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
> > VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
> > ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
> > MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
> > Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
> > AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
> > uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
> > wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
> > X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
> > PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
> > KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
> > -----END CERTIFICATE-----
> > ---
> > Server certificate
> > subject=CN = webeloping.es
> >
> > issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> >
> > ---
> > No client certificate CA names sent
> > Peer signing digest: SHA256
> > Peer signature type: RSA-PSS
> > Server Temp Key: X25519, 253 bits
> > ---
> > SSL handshake has read 4165 bytes and written 428 bytes
> > Verification error: certificate has expired
> > ---
> > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> > Server public key is 2048 bit
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > Early data was not sent
> > Verify return code: 10 (certificate has expired)
> > ---
> > 250 CHUNKING
> > ---
> > Post-Handshake New Session Ticket arrived:
> > SSL-Session:
> > Protocol : TLSv1.3
> > Cipher : TLS_AES_256_GCM_SHA384
> > Session-ID:
> > D3BC53BE05BBC3F13FB4D103E67376852150BB14208E91A07A6FC4ACA3713AA9
> > Session-ID-ctx:
> > Resumption PSK:
> > F44983AC9CE6BC47A8FC49E1239CC9F84AEDC85E4B9A5583954EC3AEC207716366B615F5D060F1A3FF5501B7F290BE51
> > PSK identity: None
> > PSK identity hint: None
> > SRP username: None
> > TLS session ticket lifetime hint: 7200 (seconds)
> > TLS session ticket:
> > 0000 - 1d a3 6c 8f c4 0b 29 2a-04 de 32 c1 6d e5 ac d0
> > ..l...)*..2.m...
> > 0010 - 95 cb 32 34 02 12 2e 7a-f9 4f 2f 96 df ec 11 b3
> > ..24...z.O/.....
> > 0020 - bd d7 13 54 98 b5 2e bd-34 37 e6 cc aa 1f 4e e7
> > ...T....47....N.
> > 0030 - 3d 49 47 79 81 f4 f3 b1-08 64 bb 4e 21 aa a4 e3
> > =IGy.....d.N!...
> > 0040 - e4 83 f6 39 c9 47 50 61-9f ed ca b5 87 0d fa af
> > ...9.GPa........
> > 0050 - 91 75 a5 30 99 f1 9c 38-ad 07 b5 ee a6 06 e8 fa
> > .u.0...8........
> > 0060 - 40 50 8c e6 64 9f c7 5c-01 82 dc 58 ae 4f 09 68
> > @P..d..\...X.O.h
> > 0070 - ac 3a f3 a4 c1 94 35 d7-6b 5f 62 51 8a 82 c1 c3
> > .:....5.k_bQ....
> > 0080 - 7b d4 ec 1c e8 07 cb 32-2a 48 4a 63 99 ed 46 94
> > {......2*HJc..F.
> > 0090 - 14 8f 69 19 73 bd a8 21-1a 84 8f 5f 08 57 9d 14
> > ..i.s..!..._.W..
> > 00a0 - 6b 8e 63 78 e7 20 41 82-fd 56 f9 06 bf ca 42 e7 k.cx.
> > A..V....B.
> > 00b0 - e5 ac 9a ea 35 42 a9 f5-32 d4 28 df 17 5a df 19
> > ....5B..2.(..Z..
> > 00c0 - 08 b2 a6 72 1f 84 4d 4d-d8 88 75 68 0b cc 46 b3
> > ...r..MM..uh..F.
> > 00d0 - e7 fe 89 64 e5 c7 9f 1e-cb 93 cb 6d 31 b6 6d b1
> > ...d.......m1.m.
> >
> > Start Time: 1611269792
> > Timeout : 7200 (sec)
> > Verify return code: 10 (certificate has expired)
> > Extended master secret: no
> > Max Early Data: 0
> > ---
> > read R BLOCK
> >
> > On Thu, Jan 21, 2021 at 11:44 PM Viktor Dukhovni
> > <postfix-us...@dukhovni.org> wrote:
> > >
> > > On Thu, Jan 21, 2021 at 11:19:13PM +0100, Pau Peris wrote:
> > >
> > > > Does someone know how I can make postfix show the absolute path for the
> > > > TLS certificate used?
> > >
> > > There is no such feature. But if you're not using SNI, the certificate
> > > chain is the same for all clients, and you can just connect to your
> > > server and see the dates on the returned chain with:
> > >
> > > $ posttls-finger -lsecure -cC "[smtp.server.example]" |
> > > openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
> > > openssl pkcs7 -print_certs -text -noout |
> > > egrep -A4 'Issuer:'
> > >
> > > If you are using SNI, you can repeat the above for each supported
> > > SNI name:
> > >
> > > $ posttls-finger -s "smtp.server2.example" ...
> > >
> > > Or, if you know which SNI name this particular client was likely
> > > using, just use the same one.
> > >
> > > > Postfix config file seems fine but obviously there's some kind of
> > > > mistake on my side, so I would like to make the following error more
> > > > verbose or be able to find the certificate in use.
> > > >
> > > > postfix/smtpd[3733]: warning: TLS library problem: error:14094415:SSL
> > > > routines:ssl3_read_bytes:sslv3 alert certificate
> > > > expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
> > >
> > > It is also possible that the expired certificate is on the client
> > > side in its own trust store.
> > >
> > > --
> > > Viktor.
> >
> >
> >
> > --
> > Pau
--
Pau
