following along & just curious, i checked a postfix 3.6.3 here that's using
LetsEncrypt certs, where conf includes
smtpd_tls_cert_file = /usr/local/etc/postfix/sec/fullchain.rsa.crt.pem
smtpd_tls_eccert_file = /usr/local/etc/postfix/sec/fullchain.ec.crt.pem
smtpd_tls_eckey_file = /usr/local/etc/postfix/sec/priv.ec.key
smtpd_tls_key_file = /usr/local/etc/postfix/sec/priv.rsa.key
cert verification FAILs
posttls-finger -cC -lsecure '[mx.example.com]'
posttls-finger: certificate verification failed for
mx.example.com[XX.XX.XX.3]:25: untrusted issuer /O=Digital Signature Trust
Co./CN=DST Root CA X3
...
checking
openssl crl2pkcs7 -nocrl -certfile fullchain.ec.crt.pem | openssl pkcs7
-print_certs -text -noout | grep CN=
Issuer: C=US, O=Let's Encrypt, CN=R3
Subject: CN=mx.example.com
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root
X1
Subject: C=US, O=Let's Encrypt, CN=R3
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root
X1
openssl crl2pkcs7 -nocrl -certfile fullchain.rsa.crt.pem | openssl
pkcs7 -print_certs -text -noout | grep CN=
Issuer: C=US, O=Let's Encrypt, CN=R3
Subject: CN=mx.example.com
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root
X1
Subject: C=US, O=Let's Encrypt, CN=R3
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root
X1
reading @ https://letsencrypt.org/certificates/, the LE cert's cross-signed by
the DST root,
Root Certificates
Active
ISRG Root X1 (RSA 4096, O = Internet Security Research Group,
CN = ISRG Root X1)
Self-signed: der, pem, txt
!!! Cross-signed by DST Root CA X3: der, pem, txt
and that appears in standard CA system certs,
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-bundle.crt |
openssl pkcs7 -print_certs -text -noout | grep CN=DST
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-bundle.trust.crt |
openssl pkcs7 -print_certs -text -noout | grep CN=DST
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
You need to append the intermediate CA certificates.
also @ https://letsencrypt.org/certificates/
Intermediate Certificates
We do not use the X1, X2, X3, and X4 intermediates anymore.
Cross Signing
Intermediates
Our RSA intermediates are signed by ISRG Root X1. ISRG Root X1
is widely trusted at this point, but our RSA intermediates are still
cross-signed by IdenTrust’s “DST Root CA X3” (now called “TrustID X3 Root”) for
additional client compatibility
...
Almost all server operators will choose to serve a chain
including the intermediate certificate with Subject “R3” and Issuer “ISRG Root
X1”. The recommended Let’s Encrypt client software, Certbot, will make this
configuration seamlessly.
iiuc, the certbot-retrieved LE 'fullchain' cert chains correctly include those
two, and should be sufficient for cert validity checks.
but posttls-finger appears to also need the cross-signing root in the chain,
and does not check/retrive OS cert paths?
i suspect i'm misunderstanding requirements &/or config here, as well
