Need X3 authority to restore

hsantos · January 20, 2021, 3:01pm

My mail domain is: mail.dp-flowers..com

Its cert was updated its and now my SMTP STARTTLS and POP3 STLS are failing. the first OpenSSL error logged a too low TLS so I turned off TLS1.1. Only TLS1.2 is enabled. now the error is "wrong ssl version" so I see i made a major mistake by auto updating the cert and its using a new R3 and now i can't connect to the sites, now the website bbs.dp-flowers.com. I need to restore with X3 today so I can then work on the new requirements.

sorry i did not back the previous *.pem files. Help

JuergenAuer · January 20, 2021, 3:05pm

Hi @hsantos

you can't. X3 is dead, there is no way back.

You have to update your system, so your mail server uses the new R3.

That's another problem, independend from X3 -> R3.

PS: Checked your configuration https://check-your-website.server-daten.de/?q=bbs.dp-flowers.com#connections and manual. Your website and your port 25 send too much certificates.

1 CN=bbs.dp-flowers.com

2 CN=R3, O=Let's Encrypt, C=US

3 CN=DST Root CA X3, O=Digital Signature Trust Co.

Sending the root certificate is wrong. Same via OpenSsl with your port 25.

But that's not your error message "wrong ssl version".

Looks like you use an expired client.

hsantos · January 20, 2021, 3:13pm

Lesson learned. -- stop automating things!! arggg. I just don't people screaming now. It appears R3 requires the latest OpenSSL DLLs. The logs is showing:

(SMTP) err queue: 0:error:1420910A:SSL routines:tls_early_post_process_client_hello:wrong ssl version:..\ss
(SMTP) ssl_accept: SSL_accept (ires=-1) error:00000001:lib(0):func(0):reason(1) | SSL_ERROR_SSL

Maybe I can keep it down to a 1 hr of down time to update the DLLs. argg, going to redirect the mail host to another machine.

JuergenAuer · January 20, 2021, 3:19pm

No. A certificate doesn't know something about dlls.

You use a too old client, may be that client doesn't support Tls.1.2.

I don't see a critical problem (sending a root certificate is not good, but that doesn't block the connection). And I can connect your SMTP server.

hsantos · January 20, 2021, 4:07pm

My fault. didn't back up the X3 *.pem in my acme update scripts. The pems were still good until 2/20 giving me time to do all crypto updating, study/test changes. Anyway, I panicked. sorry,

I just needed to update the CA intermediate certs bundle. phew! I don't have this in my script.

RESOLVED, CLOSED. Thanks for your help.

hsantos · January 20, 2021, 4:12pm

btw, in my server which uses OpenSSL, I have the ssl\cacert\cacert.txt with all the CA certs. I updated it as needed with new CAs and their change or you can copy the cert to the directory and its read in.

Which one do I copy to cacert?

*-chain.pem or *-chain-only.pem

I copied both, is that why you saw a root cert?

I have to see why openssl v1.1.1.7 reported "wrong ssl version"

system · February 19, 2021, 4:12pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.