Hey, I think let's encrypt SSL certificates expire every three to four months by default.
I recently started using Let's Encrypt's certbot for Postfix TLS. Your's appears to have expired on Jan 2, 2021. > verify error:num=10:certificate has expired > notAfter=Jan 2 21:47:07 2021 GMT > verify return:1 > depth=0 CN = webeloping.es > notAfter=Jan 2 21:47:07 2021 GMT > verify return:1 You probably just need to run a renewal. This should be setup as a cronjob. Like this: https://techmonger.github.io/49/certbot-auto-renew/ Here is the official documenation on certbot if you need it. https://certbot.eff.org/docs/ Hope this points you in the right direction. Cheers. Theodore Knab Annapolis Linux Users Group On 22/01/21 00:00 +0100, Pau Peris wrote: > Thanks for the tips :) > > I'm running the following command which shows the content of the > expired certificate butI'm getting crazy finding the certificate even > when I have the content of it. For sure it's not in /etc, I've checked > with egrep -Ri > MIIIpTCCB42gAwIBAgISBNq8AcDQ9eonDq3bUFDfFOmYMA0GCSqGSIb3DQEBCwUA > /etc/ > > openssl s_client -starttls smtp -showcerts -connect > we.webeloping.es:587 -servername we.webeloping.es > CONNECTED(00000003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > verify return:1 > depth=0 CN = webeloping.es > verify error:num=10:certificate has expired > notAfter=Jan 2 21:47:07 2021 GMT > verify return:1 > depth=0 CN = webeloping.es > notAfter=Jan 2 21:47:07 2021 GMT > verify return:1 > --- > Certificate chain > 0 s:CN = webeloping.es > i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > -----BEGIN CERTIFICATE----- > MIIIpTCCB42gAwIBAgISBNq8AcDQ9eonDq3bUFDfFOmYMA0GCSqGSIb3DQEBCwUA > MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD > ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDQyMTQ3MDdaFw0y > MTAxMDIyMTQ3MDdaMBgxFjAUBgNVBAMTDXdlYmVsb3BpbmcuZXMwggEiMA0GCSqG > SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB0HMHiLjY5t6Tpr4gdwZ36wccwoIDV4f3 > q6J3n7k8w6bzLetYb7NO6wYwrnHJiqvtiTQebdb+P5H20KvnlPsSBKNTxvbF3JHm > vBDYSG+EvuGW5jmcWRFfchboNuRVD2q4vIUHTDVBiX59WvVbOYzz9iMi786iW6+R > Q77M5EC7k3lcLnvSACUMcMNgFsymmA041MLjJpGL6MQo6tTDgJyJEnM4dlFa9O/a > fmuP4qe3DKUbcPFMQzpbfY7XBupLbNKeEO1J25jhq92sVdE4os1hhUWKDYh5X1of > 2xHNk0S4z+mHMShGvXNMHG/Ev0myzyHPfT20OYxcTXJ7rzSZ7fh1AgMBAAGjggW1 > MIIFsTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF > BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJEGMy7c95BkgFKM0XzJNHAsbgcr > MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw > YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y > ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y > Zy8wggNoBgNVHREEggNfMIIDW4IWYm9iYnl3cC53ZWJlbG9waW5nLmNvbYIVYm9i > Ynl3cC53ZWJlbG9waW5nLmVzghRjbG91ZC53ZWJlbG9waW5nLmNvbYITY2xvdWQu > d2ViZWxvcGluZy5lc4ITZGVtby53ZWJlbG9waW5nLmNvbYISZGVtby53ZWJlbG9w > aW5nLmVzghRkcml2ZS53ZWJlbG9waW5nLmNvbYITZHJpdmUud2ViZWxvcGluZy5l > c4ITaW1hcC53ZWJlbG9waW5nLmNvbYISaW1hcC53ZWJlbG9waW5nLmVzghBtLndl > YmVsb3BpbmcuY29tgg9tLndlYmVsb3BpbmcuZXOCEW0yLndlYmVsb3BpbmcuY29t > ghBtMi53ZWJlbG9waW5nLmVzghNtYWlsLndlYmVsb3BpbmcuY29tghJtYWlsLndl > YmVsb3BpbmcuZXOCF21haWxwaWxlLndlYmVsb3BpbmcuY29tghZtYWlscGlsZS53 > ZWJlbG9waW5nLmVzghJua2sud2ViZWxvcGluZy5jb22CEW5ray53ZWJlbG9waW5n > LmVzghFvYy53ZWJlbG9waW5nLmNvbYIQb2Mud2ViZWxvcGluZy5lc4IScG9wLndl > YmVsb3BpbmcuY29tghFwb3Aud2ViZWxvcGluZy5lc4ITcG9wMy53ZWJlbG9waW5n > LmNvbYIScG9wMy53ZWJlbG9waW5nLmVzghdwcm9qZWN0cy53ZWJlbG9waW5nLmNv > bYIWcHJvamVjdHMud2ViZWxvcGluZy5lc4ITc210cC53ZWJlbG9waW5nLmNvbYIS > c210cC53ZWJlbG9waW5nLmVzghN0ZXN0LndlYmVsb3BpbmcuY29tghJ0ZXN0Lndl > YmVsb3BpbmcuZXOCE3Vjb2Iud2ViZWxvcGluZy5jb22CEnVjb2Iud2ViZWxvcGlu > Zy5lc4IRd2Uud2ViZWxvcGluZy5jb22CEHdlLndlYmVsb3BpbmcuZXOCDndlYmVs > b3BpbmcuY29tgg13ZWJlbG9waW5nLmVzghZ3ZWJtYWlsLndlYmVsb3BpbmcuY29t > ghV3ZWJtYWlsLndlYmVsb3BpbmcuZXOCEnd3dy53ZWJlbG9waW5nLmNvbYIRd3d3 > LndlYmVsb3BpbmcuZXMwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB > AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEF > BgorBgEEAdZ5AgQCBIH2BIHzAPEAdwCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h > 204vWE2iwgAAAXT1zBg2AAAEAwBIMEYCIQCB/KqbgxT12uOWAYWXn7jV2+Qr0KHA > KZmw3GA+T8rQkQIhAPbOpzgxZoebW4tStxm24/BXRzJ3QaWd17Ly5a/y6qk6AHYA > 9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAF09cwaHQAABAMARzBF > AiEA5v7xblm1H9m6GxpNTubQu4lu7kAATcKbyOXu2pHiE7sCIAwgoDxsBgoHwkK0 > +3cL+02mCuu2k/VPXiX51mXxtipSMA0GCSqGSIb3DQEBCwUAA4IBAQB4qbtcV9KE > Dznsn6jrtkwoMy71X77Oh3/f+mScC11B0wbzmO9WKpQ05u0sEjd4FQsc2jYaTjKQ > 7vNvtOwBEdjeizs+/HU1+eijqtcqORHcECQORQBcYkuN0sPpsElWbguymeph9Xp0 > 9fLWFwOPPG+QbVcqwePFZw9OZ/HoGiM63SKpDgiJoVeNHNgmNzz4y1jEpuCiLw4M > Jr6ZC4Z022SaLWtwmC0nlHH9gluIcU7cus0f3cLs9VF8BUgogz0h/eQbewuNY2t6 > 2mx/NK/U/dC1v5rylpcKB/2cPNY/WRQ7ot3JJxSst8fvr0EYW11DUWFLGaHXH8tv > 1FhkaFerj9mD > -----END CERTIFICATE----- > 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > i:O = Digital Signature Trust Co., CN = DST Root CA X3 > -----BEGIN CERTIFICATE----- > MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ > MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT > DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow > SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT > GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC > AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF > q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 > SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 > Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA > a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj > /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T > AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG > CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv > bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k > c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw > VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC > ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz > MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu > Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF > AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo > uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ > wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu > X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG > PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 > KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== > -----END CERTIFICATE----- > --- > Server certificate > subject=CN = webeloping.es > > issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Peer signature type: RSA-PSS > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 4165 bytes and written 428 bytes > Verification error: certificate has expired > --- > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 > Server public key is 2048 bit > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > Early data was not sent > Verify return code: 10 (certificate has expired) > --- > 250 CHUNKING > --- > Post-Handshake New Session Ticket arrived: > SSL-Session: > Protocol : TLSv1.3 > Cipher : TLS_AES_256_GCM_SHA384 > Session-ID: > D3BC53BE05BBC3F13FB4D103E67376852150BB14208E91A07A6FC4ACA3713AA9 > Session-ID-ctx: > Resumption PSK: > F44983AC9CE6BC47A8FC49E1239CC9F84AEDC85E4B9A5583954EC3AEC207716366B615F5D060F1A3FF5501B7F290BE51 > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - 1d a3 6c 8f c4 0b 29 2a-04 de 32 c1 6d e5 ac d0 ..l...)*..2.m... > 0010 - 95 cb 32 34 02 12 2e 7a-f9 4f 2f 96 df ec 11 b3 ..24...z.O/..... > 0020 - bd d7 13 54 98 b5 2e bd-34 37 e6 cc aa 1f 4e e7 ...T....47....N. > 0030 - 3d 49 47 79 81 f4 f3 b1-08 64 bb 4e 21 aa a4 e3 =IGy.....d.N!... > 0040 - e4 83 f6 39 c9 47 50 61-9f ed ca b5 87 0d fa af ...9.GPa........ > 0050 - 91 75 a5 30 99 f1 9c 38-ad 07 b5 ee a6 06 e8 fa .u.0...8........ > 0060 - 40 50 8c e6 64 9f c7 5c-01 82 dc 58 ae 4f 09 68 @P..d..\...X.O.h > 0070 - ac 3a f3 a4 c1 94 35 d7-6b 5f 62 51 8a 82 c1 c3 .:....5.k_bQ.... > 0080 - 7b d4 ec 1c e8 07 cb 32-2a 48 4a 63 99 ed 46 94 {......2*HJc..F. > 0090 - 14 8f 69 19 73 bd a8 21-1a 84 8f 5f 08 57 9d 14 ..i.s..!..._.W.. > 00a0 - 6b 8e 63 78 e7 20 41 82-fd 56 f9 06 bf ca 42 e7 k.cx. A..V....B. > 00b0 - e5 ac 9a ea 35 42 a9 f5-32 d4 28 df 17 5a df 19 ....5B..2.(..Z.. > 00c0 - 08 b2 a6 72 1f 84 4d 4d-d8 88 75 68 0b cc 46 b3 ...r..MM..uh..F. > 00d0 - e7 fe 89 64 e5 c7 9f 1e-cb 93 cb 6d 31 b6 6d b1 ...d.......m1.m. > > Start Time: 1611269792 > Timeout : 7200 (sec) > Verify return code: 10 (certificate has expired) > Extended master secret: no > Max Early Data: 0 > --- > read R BLOCK > > On Thu, Jan 21, 2021 at 11:44 PM Viktor Dukhovni > <postfix-us...@dukhovni.org> wrote: > > > > On Thu, Jan 21, 2021 at 11:19:13PM +0100, Pau Peris wrote: > > > > > Does someone know how I can make postfix show the absolute path for the > > > TLS certificate used? > > > > There is no such feature. But if you're not using SNI, the certificate > > chain is the same for all clients, and you can just connect to your > > server and see the dates on the returned chain with: > > > > $ posttls-finger -lsecure -cC "[smtp.server.example]" | > > openssl crl2pkcs7 -nocrl -certfile /dev/stdin | > > openssl pkcs7 -print_certs -text -noout | > > egrep -A4 'Issuer:' > > > > If you are using SNI, you can repeat the above for each supported > > SNI name: > > > > $ posttls-finger -s "smtp.server2.example" ... > > > > Or, if you know which SNI name this particular client was likely > > using, just use the same one. > > > > > Postfix config file seems fine but obviously there's some kind of > > > mistake on my side, so I would like to make the following error more > > > verbose or be able to find the certificate in use. > > > > > > postfix/smtpd[3733]: warning: TLS library problem: error:14094415:SSL > > > routines:ssl3_read_bytes:sslv3 alert certificate > > > expired:../ssl/record/rec_layer_s3.c:1544:SSL alert number 45: > > > > It is also possible that the expired certificate is on the client > > side in its own trust store. > > > > -- > > Viktor. > > > > -- > Pau
