Get ISRG Root X2

My Win10 system has no problem with your site:
image

1 Like

IIS on Windows doesn't really let you control the chain being served to clients. I haven't really done any testing with X2, but since the root is part of the Microsoft Root program, I'd guess your system already has the non-cross-signed X2 and is building to that rather than the longer cross-signed path to X1.

I'm curious why you'd sign up for X2 if you didn't actually want the X2 chain though.

3 Likes

Interestingly, my Win10 system pulls down the cross-signed X2 and builds to X1 instead of pulling the non-cross-signed X2.

3 Likes

no, i want to use short x2. The K-9 mail client app will pop up the certificate prompt.

yes. chrome is normal.

Well good. Your server is currently serving the short X2 chain. I'm not familiar with the K-9 mail client app. But if it's having a problem with the cert on your server, I'd guess the app has its own embedded certificate store rather than using the underlying OS's certificate store. And the embedded cert store doesn't yet trust X2.

3 Likes

gmail can't send mail to my server. it seem google not support x2 yet.

Wed 2022-04-27 00:56:36.175: [00008403] <-- EHLO mail-vs1-xe30.google.com
Wed 2022-04-27 00:56:36.175: [00008403] --> 250-mx.xiaoyu.net Hello mail-vs1-xe30.google.com [2607:f8b0:4864:20::e30], pleased to meet you
Wed 2022-04-27 00:56:36.175: [00008403] --> 250-ETRN
Wed 2022-04-27 00:56:36.175: [00008403] --> 250-8BITMIME
Wed 2022-04-27 00:56:36.175: [00008403] --> 250-ENHANCEDSTATUSCODES
Wed 2022-04-27 00:56:36.175: [00008403] --> 250-PIPELINING
Wed 2022-04-27 00:56:36.175: [00008403] --> 250-CHUNKING
Wed 2022-04-27 00:56:36.175: [00008403] --> 250-STARTTLS
Wed 2022-04-27 00:56:36.175: [00008403] --> 250-RKEY
Wed 2022-04-27 00:56:36.175: [00008403] --> 250 SIZE
Wed 2022-04-27 00:56:36.496: [00008403] <-- STARTTLS
Wed 2022-04-27 00:56:36.497: [00008403] --> 220 2.7.0 Ready to start TLS
Wed 2022-04-27 00:56:37.140: [00008403] SSL negotiation successful (TLS 1.2, 255 bit key exchange, 128 bit AES encryption)
Wed 2022-04-27 00:56:37.464: [00008403] connect closed
Wed 2022-04-27 00:56:37.464: [00008403] SMTP session terminated (Bytes in/out: 651/3296)

What is shown doesn't explain why gmail can't send.
And shows:

What is shown on the senders gmail account for that attempt?
Why does it fail?

1 Like

My server logs show a failure to disconnect. Currently my mail server is back to using the old certificate, which is working fine. When I get back to the office, I set up the server to use the X2 certificate, you can email me and test it out.

the Android v12 has no x2 root cert. only has x1 root cert.

Perhaps it can be added manually?

2 Likes

It can be added manually, but it can only be added to the personal certificate column.
Chrome incognito mode only works.

send mail to yon at xiaoyu.net for test

1 Like

hi. i get your mail from your mail server.
but i seem google mail server not work for x2 cert

image

1 Like

i have change to testing mode your test it

% curl https://mta-sts.xiaoyu.net/.well-known/mta-sts.txt
curl: (28) Failed to connect to mta-sts.xiaoyu.net port 443 after 258440 ms: Connection timed out
% dig +short txt _mta-sts.xiaoyu.net
"v=STSv1; id=20220313191900"

@GodSir you need to allow downloads from that hostname. (Or disable your mta-sts policy, but that's not immediate.)

1 Like

https://www.ssllabs.com/ssltest/analyze.html?d=mta-sts.xiaoyu.net

website open. what's your using ip ?

I can only see your policy from germany. From italy and iceland I only get timeouts.

1 Like

maybe your ip in block list? ipv4?