I would like to use my certificates for mail. The FAQ states that
Let’s Encrypt certificates are standard Domain Validation certificates, so you can use them for any server that uses a domain name, like web servers, mail servers, FTP servers, and many more.
But then, in contrast, the certificate itself states:
X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
This says clearly that it is only for Web Servers, not for mail servers. (I did look for the correct category for mail servers in the IANA RFCs, but there isn't even one mentioned. Not sure where to look further for that.)
Then, I thought, what the heck, just give it a try, and installed it on the mailserver nevertheless. And indeed, it does not work for mailservers. (The same cert runs on the Web server just fine.)
Apr 28 23:26:19 <mail.info> gate sm-mta: STARTTLS=client, relay=intra.daemon.contact., version=TLSv1.3, verify=FAIL
After a lot of hassle, trying out my own CA, shooting myself in the foot a couple of times, etc.etc., I found somebody to ask about how to debug sendmail. And so I got further information:
2022-04-28T23:18:46.704257+02:00 <mail.info> intra.daemon.contact sm-mta STARTTLS: TLS cert verify: depth=3 /O=Digital Signature Trust Co./CN=DST Root CA X3, state=0, reason=certificate has expired
2022-04-28T23:18:46.705103+02:00 <mail.info> intra.daemon.contact sm-mta STARTTLS=server, get_verify: 10 get_peer: 0x801c3af00
2022-04-28T23:18:46.705122+02:00 <mail.info> intra.daemon.contact sm-mta STARTTLS=server, relay=gate.intra.daemon.contact [xx.xx.xx.xx], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
2022-04-28T23:18:46.705131+02:00 <mail.info> intra.daemon.contact sm-mta STARTTLS=server, cert-subject=/CN=moon.daemon.contact, cert-issuer=/C=US/O=Let's+20Encrypt/CN=R3, verifymsg=certificate has expired
So the certificate is expired for mail!
Let's look closer at this. That is what's in the fullchain I obtained:
Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Mar 22 05:04:24 2022 GMT Not After : Jun 20 05:04:23 2022 GMT Subject: CN = moon.daemon.contact Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Validity Not Before: Sep 4 00:00:00 2020 GMT Not After : Sep 15 16:00:00 2025 GMT Subject: C = US, O = Let's Encrypt, CN = R3 Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Validity Not Before: Jan 20 19:14:03 2021 GMT Not After : Sep 30 18:14:03 2024 GMT Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
None of these appears to be expired. Let's check the storage in /etc/ssh/certs:
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Validity Not Before: Jun 4 11:04:38 2015 GMT Not After : Jun 4 11:04:38 2035 GMT Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Validity Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
Both of them are there, and one is indeed outdated.
(BTW, how can I figure out which release of a cert was used to sign another?)
I was wondering what is going on - checked the web and found this article:
Now this is really a bad joke: "older devices and browsers".
This device is:
$ uname -a
FreeBSD 13.1-RC2 FreeBSD 13.1-RC2 n250132-697a6a902ab[697a6a902ab=c2e15a08fd9+28]
This is so new, it is not even released yet.
So, now, would somebody please be so kind and explain to me what is going on, and, most importantly, how this would be supposed to work?