Issuer unknown when testing tls on smtp

I just set up a mail server using letsencrypt tls certificate

When testing the implementation. I tried multiple online TLS testing services. Most were pathetic and only checked if StartTLS command was present

Of those that did do a full test (2) they returned unknown issuer errors like below

mail.**************
    90 days remaining 4096 bit sha256WithRSAEncryption 
    Unknown Authority =>    Let's Encrypt Authority X3 

This has me worried that the CA is not acceptable to many MTA’s and I may be doing myself a disservice using letsencrypt

Another more complete test is this one from checktls.com

[001.837]		STARTTLS command works on this server 
[002.615]		SSLVersion in use: TLSv1.2 
[002.615]		Cipher in use: ECDHE-RSA-AES128-SHA256 
[002.615]		Connection converted to SSL 
[002.643]		Certificate 1 of 3 in chain:
subject= /CN=mail.
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                                                                                                                                                                                         
[002.667]		Certificate 2 of 3 in chain:
subject= /CN=mail.
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                                                                                                                                                                                           
[002.688]		Certificate 3 of 3 in chain:
subject= /CN=mail.
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                                                                                                                                                                                       
[002.688]		Cert NOT VALIDATED: unable to get local issuer certificate 

Is there any statistics or details for support across Mail Transport Agents?

How did you set up the cert in the configuration file? Using either cert.pem and chain.pem ór did you use fullchain.pem?

in Exim I used the following…

tls_certificate = /path/to/domainname.crt
tls_privatekey = /path/to/domainname.key
tls_verify_certificates = /path/to/chain.crt

The certs were created using getssl bash script and the production letsencrypt server

I don’t think tls_verify_certificates is what you need here. Rather, you should set tls_certificate to a file containing both your server certificate and the intermediate (chain) certificate. With getssl, I believe you can get such a file by providing the DOMAIN_PEM_LOCATION variable. Alternatively, something like cat /path/to/domainname.crt /path/to/chain.crt > /path/to/fullchain.crt should work too (tls_certificate should set to /path/to/fullchain.crt in that example).

1 Like

Your a champ that fixed it.

I must have misread the documentation for tls_verify_certificates. I thought the name seemed a bit on the odd side.

Nope not me. The docs here are dead wrong…
https://help.directadmin.com/item.php?id=598

Its actually for a directory of client certs!

I notified the admins at directadmin and they have amended their document - Crisis averted -

Thanks again pfg and Osiris

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.