Issuer unknown when testing tls on smtp


#1

I just set up a mail server using letsencrypt tls certificate

When testing the implementation. I tried multiple online TLS testing services. Most were pathetic and only checked if StartTLS command was present

Of those that did do a full test (2) they returned unknown issuer errors like below

mail.**************
    90 days remaining 4096 bit sha256WithRSAEncryption 
    Unknown Authority =>    Let's Encrypt Authority X3 

This has me worried that the CA is not acceptable to many MTA’s and I may be doing myself a disservice using letsencrypt

Another more complete test is this one from checktls.com

[001.837]		STARTTLS command works on this server 
[002.615]		SSLVersion in use: TLSv1.2 
[002.615]		Cipher in use: ECDHE-RSA-AES128-SHA256 
[002.615]		Connection converted to SSL 
[002.643]		Certificate 1 of 3 in chain:
subject= /CN=mail.
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                                                                                                                                                                                         
[002.667]		Certificate 2 of 3 in chain:
subject= /CN=mail.
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                                                                                                                                                                                           
[002.688]		Certificate 3 of 3 in chain:
subject= /CN=mail.
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                                                                                                                                                                                       
[002.688]		Cert NOT VALIDATED: unable to get local issuer certificate 

Is there any statistics or details for support across Mail Transport Agents?


#2

How did you set up the cert in the configuration file? Using either cert.pem and chain.pem ór did you use fullchain.pem?


#3

in Exim I used the following…

tls_certificate = /path/to/domainname.crt
tls_privatekey = /path/to/domainname.key
tls_verify_certificates = /path/to/chain.crt

The certs were created using getssl bash script and the production letsencrypt server


#4

I don’t think tls_verify_certificates is what you need here. Rather, you should set tls_certificate to a file containing both your server certificate and the intermediate (chain) certificate. With getssl, I believe you can get such a file by providing the DOMAIN_PEM_LOCATION variable. Alternatively, something like cat /path/to/domainname.crt /path/to/chain.crt > /path/to/fullchain.crt should work too (tls_certificate should set to /path/to/fullchain.crt in that example).


#5

Your a champ that fixed it.

I must have misread the documentation for tls_verify_certificates. I thought the name seemed a bit on the odd side.

Nope not me. The docs here are dead wrong…
https://help.directadmin.com/item.php?id=598

Its actually for a directory of client certs!


#6

I notified the admins at directadmin and they have amended their document - Crisis averted -

Thanks again pfg and Osiris


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.