- edited description
Haraka Lets Encrypt Fullchain.pem
Haraka doesn’t use fullchain.pem from Lets Encrypt. So the certificate could not be verified.
Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate
The fullchain.pem certificate (/data/ssl/letsencrypt/mail.domain/fullchain.pem) issued by poste.io mailserver only contains one certificate.
Comments (4)
-
reporter -
I had to allow unsecure TLS connections in my GMail app on Android to be able to connect to my poste.io instance. Before it worked without allowing unsecure connections. The certificate details reported by the app look correct, but contain no concrete error message or other advanced information. Don't know if this is caused by a update in the app or poste.io, but I guess this is also caused by not having the full chain included in the certificate.
-
Hi, I’m running into this problem as well.
This is affecting not just Haraka but everything except visiting the website. However, sending mail (via msmtp), and even fetching it, is broken in a lot of software because the intermediate certificate is not being attached as it should:
-> % openssl s_client -connect mail.website.com:443 CONNECTED(00000005) depth=0 CN = mail.website.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = mail.website.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=mail.website.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- Server certificate -----BEGIN CERTIFICATE----- [NOTE: ___certificate removed__] -----END CERTIFICATE----- subject=/CN=mail.website.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Server Temp Key: ECDH, X25519, 253 bits --- SSL handshake has read 2551 bytes and written 293 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: XXX Session-ID-ctx: Master-Key: XXX TLS session ticket lifetime hint: 600 (seconds) TLS session ticket: 0000 - bf 72 59 09 8d 55 c7 3b-04 f3 ac 42 ce 50 e4 d6 .rY..U.;...B.P.. 0010 - 8f d8 1d d0 43 d9 88 19-8b 04 ed 1e 34 75 59 9f ....C.......4uY. 0020 - 57 c5 11 a9 80 25 c6 2b-fe de a7 7a 75 a2 72 84 W....%.+...zu.r. 0030 - 99 64 d4 18 58 f4 77 5e-c7 35 6d 1c 34 89 09 58 .d..X.w^.5m.4..X 0040 - 18 be 41 b4 e3 95 1a 78-b6 15 29 30 26 f4 ec 30 ..A....x..)0&..0 0050 - ba cc 7b 4a ff 29 ec 87-cf 3a b8 ad 6e ba 69 71 ..{J.)...:..n.iq 0060 - 7b 3f be fa 0e 9a 77 4d-fc 18 9f 6c 6b d2 ac 81 {?....wM...lk... 0070 - 23 d9 b9 92 32 16 8b a6-d9 9b 32 dd b7 79 ba c4 #...2.....2..y.. 0080 - 02 c7 dd 8c a1 d9 10 e5-ed af 08 b4 8d 0e 61 72 ..............ar 0090 - 3c 3c f9 46 2c 50 3e 44-5f 9c 10 ea 27 aa 60 04 <<.F,P>D_...'.`. 00a0 - 5c 92 fd a7 ec f5 1b fa-9d 4f b1 af 1b 3f 0e 23 \........O...?.# Start Time: 1569733035 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) --- closed
Everything was working fine. I don’t know how to force the certificate to renew. When I run
poste -vvv le:renew
it tells me there’s no need to renew the certificate because it’s still valid.This is negatively affecting our customers since our helpdesk software is unable to fetch via IMAP.
-
In case it’s helpful, I’ve described how I’ve worked around this issue here.
- Log in to comment