Cert VALIDATION ERROR(S): unable to get local issuer certificate

ITCrowd · March 20, 2021, 9:16pm

I ran this command:

openssl s_client -connect mail.commedia.org.uk:25 -showcerts

It produced this output:

CONNECTED(00000003)
140137382925632:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 312 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

The operating system my web server runs on is (include version): Centos 5

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is:

~/.acme.sh/acme.sh --version
https://github.com/acmesh-official/acme.sh
v2.8.8

Using https://www.checktls.com/ to check TLS on this mail server, I get the following error message:

Certificate #1 of 1 (sent by MX):
Cert is unsigned
Cert VALIDATION ERROR(S): unable to get local issuer certificate
This may help: [What Is An Intermediate Certificate](http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate/)
So email is encrypted but the recipient domain is not verified
Cert Hostname VERIFIED (mail.commedia.org.uk = mail.commedia.org.uk DNS:mail.commedia.org.uk)
Not Valid Before: Mar 13 23:17:33 2021 GMT
Not Valid After: Jun 11 23:17:33 2021 GMT
subject= /CN=mail.commedia.org.uk
issuer= /C=US/O=Let's Encrypt/CN=R3

I think I've created the following files correctly:

./acme.sh --install-cert -d mail.commedia.org.uk --cert-file /etc/pki/tls/cert.pem --key-file /etc/pki/tls/privkey.pem --fullchain-file /etc/pki/tls/fullchain.pem

And following the instructions here:

https://upcloud.com/community/tutorials/secure-postfix-using-lets-encrypt/

I point to the files here:

smtp_tls_key_file = /etc/pki/tls/privkey.pem
smtp_tls_cert_file = /etc/pki/tls/fullchain.pem

Reloaded Postfix but errors remain.

Please help and advise with:

Cert VALIDATION ERROR(S): unable to get local issuer certificate

JuergenAuer · March 20, 2021, 9:32pm

Hi @ITCrowd

that's not so good. Use

openssl s_client -connect mail.commedia.org.uk:25 -starttls smtp

Then you see:

depth=0 CN = mail.commedia.org.uk
verify error:num=21:unable to verify the first certificate
verify return:1

That's critical, not the 20 error.

And you see

---
Certificate chain
0 s:CN = mail.commedia.org.uk
  i:C = US, O = Let's Encrypt, CN = R3
---

Only one certificate.

Instead, you should see something like

---
Certificate chain
 0 s:CN = *.server-daten.de
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

But you use already fullchain.pem, so normally it should work. Open fullchain.pem with an editor and check, if there are two certificates.

Are you sure there isn't another programm running?

Osiris · March 20, 2021, 9:36pm

Port 25 is unencrypted, unless you use STARTTLS. You should add the -starttls smtp command to the command line options to openssl.

Further more, the certificate chain is missing its intermediate certificate:

Certificate chain
 0 s:CN = mail.commedia.org.uk
   i:C = US, O = Let's Encrypt, CN = R3

That chain should also include the R3 certificate itself.

Those directives are for the SMTP client of Postfix, not for the SMTP server. You should use smtpd_tls_cert_file and smtpd_tls_key_file.

ITCrowd · March 20, 2021, 9:45pm

Thank you @JuergenAuer, thank you @Osiris - I had switched off the config temporarily but it is now in place (at 21:40pm GMT)

@JuergenAuer I now try this:

~$ openssl s_client -connect mail.commedia.org.uk:25 -starttls smtp
CONNECTED(00000003)
139953553028416:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 272 bytes and written 345 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

And @Osiris, thank you - I have got those files in place now:

smtpd_tls_key_file = /etc/pki/tls/privkey.pem
smtpd_tls_cert_file = /etc/pki/tls/fullchain.pem

I'm still getting this now:

:~$ openssl s_client -connect mail.commedia.org.uk:25 -starttls smtp
CONNECTED(00000003)
139877859280192:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 300 bytes and written 352 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Is this part of the problem:

routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941:

ITCrowd · March 20, 2021, 10:12pm

@JuergenAuer if I open fullchain.pem then there are two certificates in there - is that correct?

Redacted file below.

# cat /etc/pki/tls/fullchain.pem 
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXJNV8cOYMA0GCSqGSIb3DQEBCwUAZ91/RCF7TWac3HgtSx+yWzmae3CwNgxZ+i3MIF7Drk5eCgtFf4v+MhRSZhC80eY0
+p4OgYEU5NVTNYZC2NQiEQ5x1p2m7VGS5k8rzV5DBGBn
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/qjBstzLhWGFDRAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----

JuergenAuer · March 20, 2021, 10:17pm

ITCrowd:

~$ openssl s_client -connect mail.commedia.org.uk:25 -starttls smtp
CONNECTED(00000003)
139953553028416:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---

Looks that you check a different machine, not your port that's online.

I see (first part):

G:\OpenSSL-Win64\bin>openssl s_client -connect mail.commedia.org.uk:25 -starttls smtp
CONNECTED(000001C0)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:CN = mail.commedia.org.uk
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgISA2m12yHMer7h2YIHqJNV8cOYMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTAzMTMyMzE3MzNaFw0yMTA2MTEyMzE3MzNaMB8xHTAbBgNVBAMT
FG1haWwuY29tbWVkaWEub3JnLnVrMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAmgOvgFJ9hAjiaz2YW5EbLSUiBoXa1LFyamAygq7wOTR7QctADjUyzrS0
W4FJ60LFvCPlRcb4FZ7KZb9082647AtU1y3l3vxm52kWHr569kQJD32SGC4s+zlI
5JeBs5P3KFNeFWibJ73J+P4Yj+7N6PkYOkF6DBEXLEK+CxeLUidiZvOl24gCGQ0K
Ja5PbOz74AENd2c1S5iTfloG6RMqz1jUkuNmO4hpdjSglnBMfu0fkUaTiFngyBwL
6xempLZ81S5m1LBUMQoh1qLg496Ggz9ioQm8wj9IS5EDUZqElc2liBY8zVL4tGIP
nfrgM5pO5+mp+r87CjpapKdJYwsdGwIDAQABo4ICTjCCAkowDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBQNkMuF4M1RMp3ehUcXH9z5YR9xLjAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghRtYWlsLmNvbW1lZGlhLm9yZy51azBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1
AESUZS6w7s6vxEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABeC4YZQQAAAQDAEYw
RAIgBUR/sFgQUdfpEgKpWBBseFKJfsZqcf9rMqhb3M9tRqMCIFp6gNwATBwjHk8S
tlREjb+5TgyUXoQXSLJo0KCqR8kEAHYAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8u
apdomX4i8NcAAAF4LhhlLwAABAMARzBFAiBuRJfSm1UMwMKPYzby7TmRdadwCTaM
QL5fVWGl4cvFcgIhAJJjHoio1Q5u//xVXptnbWgKCnwXaYfRQAnXg4lEKi+cMA0G
CSqGSIb3DQEBCwUAA4IBAQCYIN+6yc2H9Nih2WVYn0wvq15bpAU0tOqV7+Eb8Gb1
RTZ2LILtjABG2SjGNpTCap4MOiuE86Dxdi4rI/Z3SIoWWQ9wOehuNy+XxD2SBhDY
ig2juR9RYSJ+qDNlHl5AJEF0OIDPeXkrYm3GyVthbZzdZHw0xotEelITNRMRiEXz
W18SLS0nkAOWY4qId+wNKw2rmJVlyVRuORmeRJzDO4lRuYa7pl7IkLXPOz/DIkhs
F08/RCF7TWac3HgtSx+yWzmae3CwNgxZ+i3MIF7Drk5eCgtFf4v+MhRSZhC80eY0
+p4OgYEU5NVTNYZC2NQiEQ5x1p2m7VGS5k8rzV5DBGBn
-----END CERTIFICATE-----
subject=CN = mail.commedia.org.uk

issuer=C = US, O = Let's Encrypt, CN = R3

Completely different.

Your fullchain is ok, that's the required content.

PS: Certificates are public, so everyone can load your complete certificate. Hiding is a little bit curious.

ITCrowd · March 21, 2021, 3:41pm

Thank you @JuergenAuer and @Osiris - I think that issue is now fixed. Though I might have some other Postfix issues.

Regarding the following:

PS: Certificates are public, so everyone can load your complete certificate. Hiding is a little bit curious.

That's a learning issue and my knowledge is now expanded. Thank you

system · April 20, 2021, 3:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to get local issuer, even with intermediate certs Help	8	4075	June 22, 2021
Error Issuing Certificate Help	8	4578	July 30, 2019
Certificate renewal error Help	4	1091	March 11, 2020
Errors from browser-based email client Help	13	1132	November 1, 2021
Problem getting certificate for email server on separate host from web server Help	1	1023	April 13, 2017

Cert VALIDATION ERROR(S): unable to get local issuer certificate

Related topics