Root certificate not trusted by trust provider

karllogue · August 4, 2022, 4:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: goodbyebots.com

I ran this command: using Mailkit to send email, the Authentication command fails

It produced this output: MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.\r\n\r\nThe server's SSL certificate could not be validated for the following reasons:\r\n• The server certificate has the following errors:\r\n • A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.\r\n\r\n ---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

My web server is (include version): OpenLiteSpeed

The operating system my web server runs on is (include version): CentOS 7.9

My hosting provider, if applicable, is: Hostinger (VPS)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
CyberPanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh v3.0.5

Osiris · August 4, 2022, 4:41pm

Which mail server are we talking about exactly? mail.goodbyebots.com perhaps?

karllogue · August 4, 2022, 4:44pm

Yes. That's the one. The main domain is goodbyebots, the email domain is mail.goodbyebots.com

Osiris · August 4, 2022, 4:50pm

And which hostname exactly are you using to connect to the SMTP server?

Reason why I'm asking is because your Postfix uses SNI to determine which certificates it sends. If I try openssl s_client -connect mail.goodbyebots.com:smtps I'm getting a self-signed certificate as a result, but when I try openssl s_client -connect goodbyebots.com:smtps, I'm getting the correct LE certificate with correct chain. Also without SNI I'm getting the LE cert.

karllogue · August 4, 2022, 5:06pm

I'm using mail.goodbyebots.com

karllogue · August 4, 2022, 5:09pm

Cyberpanel says:

MAIL.GOODBYEBOTS.COM HAS SSL FROM LET'S ENCRYPT.

Your SSL will expire in 82 days.

karllogue · August 4, 2022, 5:13pm

I tried using just goodbyebots.com, and the error changed to: "The host name did not match the name given in the server's SSL certificate."

Osiris · August 4, 2022, 5:22pm

I'm not familiar with Cyberpanel. Does it also configure Postfix? Or just your webserver?

That's because the certificate send by Postfix when using goodbyebots.com is indeed just for mail.goodbyebots.com.

karllogue · August 4, 2022, 5:28pm

Cyberpanel is part of the equation. The other is the OpenLiteSpeed frontend. I still have to do a little bit of configuration the old-fashioned way.

Osiris · August 4, 2022, 5:29pm

I don't think OpenLiteSpeed is in the equation regarding SMTP i.e. Postfix?

karllogue · August 4, 2022, 5:31pm

True. OpenLiteSpeed is the webserver, replacing Apache.

karllogue · August 4, 2022, 5:31pm

You may have gotten me going down the right path. Dovecot may be the problem. Researching...

Osiris · August 4, 2022, 5:33pm

Dovecot is an IMAP service. And your IMAP is fine. Postfix is your SMTP daemon.

karllogue · August 4, 2022, 5:41pm

Would my main.cf help?

Osiris · August 4, 2022, 5:42pm

I'm not that familiar with the SNI settings of Postfix, but it might be enough to do a grep tls main.cf so you'd only get the commands with tls in it.

karllogue · August 4, 2022, 5:42pm

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtp_tls_security_level = may
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

Osiris · August 4, 2022, 5:44pm

Interesting.

Could you confirm with openssl x509 -noout -text </etc/pki/dovecot/certs/dovecot.pem that dovecot.pem is the self signed certificate?

Also, what's the content of the /etc/postfix/vmail_ssl.map file?

And what is configuring your Postfix? A human being (i.e.: you) or Cyberpanel?

karllogue · August 4, 2022, 5:46pm

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:2e:e1:cd:9b:07:c1:94:7e:29:aa:1b:f8:cd:5a:49:6d:89
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: Jul 28 16:57:33 2022 GMT
Not After : Oct 26 16:57:32 2022 GMT
Subject: CN=mail.goodbyebots.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:42:25:bf:62:26:51:e3:06:53:5c:e4:a0:c4:5a:
c5:29:fd:52:36:39:c7:62:80:3b:63:e9:c9:dd:80:
04:15:f6:2c:42:f6:38:fd:c3:b6:d9:78:71:8c:69:
3a:24:6f:b5:99:ac:c8:df:77:de:13:de:08:71:2b:
b1:76:f7:1a:cc
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
0E:2E:DA:E9:1C:9B:7E:15:D3:A5:F3:32:EE:9F:D9:C8:63:4D:E6:BD
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

        Authority Information Access:
            OCSP - URI:http://r3.o.lencr.org
            CA Issuers - URI:http://r3.i.lencr.org/

        X509v3 Subject Alternative Name:
            DNS:mail.goodbyebots.com
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org

        CT Precertificate SCTs:
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E:
                            4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6
                Timestamp : Jul 28 17:57:33.641 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:FC:5A:9D:C2:C7:78:3C:6B:0E:84:81:
                            5D:38:70:C1:73:93:6E:AB:77:10:D4:4E:08:36:C5:CE:
                            A7:58:FF:36:19:02:20:64:9D:19:E5:88:33:4B:DB:13:
                            92:89:5F:FF:FD:0C:45:AC:15:4F:49:E2:43:2D:D4:76:
                            35:49:D2:B6:BB:0D:A8
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                            11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                Timestamp : Jul 28 17:57:33.582 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:20:58:4E:B3:F5:C7:1B:0E:D2:2C:0E:D7:AB:
                            24:66:24:87:D6:F3:AC:A2:2D:1E:1D:89:BD:99:96:1A:
                            F9:AC:F0:8A:02:21:00:A5:2D:CA:91:13:1C:68:36:01:
                            3E:62:09:C5:28:49:70:1A:CE:B1:EF:43:34:80:21:1F:
                            AF:32:53:DD:28:5E:29
Signature Algorithm: sha256WithRSAEncryption
     48:f7:f8:1f:4f:4f:e8:a3:9c:86:21:e6:08:f0:c9:ae:96:6e:
     b9:48:94:8a:5b:c1:b9:63:92:29:89:6b:df:1f:96:bf:74:60:
     3d:ff:8b:17:0d:d9:59:b0:a4:01:d7:f4:72:4a:0b:de:f9:04:
     ec:8d:ca:5d:4c:c9:dd:86:00:72:25:64:62:f2:da:d5:52:5b:
     7c:25:2e:6b:6b:55:fc:93:40:80:13:69:f8:7c:e2:f9:8e:aa:
     66:e3:e6:5f:cb:31:27:74:e1:ca:4f:38:55:a0:04:49:59:c1:
     d6:71:7b:9a:df:fb:38:60:5b:15:24:0d:5e:4f:0f:94:d0:26:
     bb:c7:49:34:ab:25:f5:2a:bd:56:70:6b:4d:09:26:26:f2:e0:
     c7:35:e3:69:27:f7:cf:ea:d7:6c:ce:a5:37:f1:b6:e2:65:16:
     bc:6b:8b:75:29:61:96:80:17:49:50:dd:b0:be:ac:09:35:0c:
     ca:e0:94:eb:6d:1a:6f:d0:68:d4:7e:5e:36:96:ef:a7:41:24:
     cd:e6:b3:4c:fe:19:f2:ab:45:f3:77:02:d2:99:8d:3d:8e:0c:
     69:d1:14:cd:9f:35:88:75:4c:80:cc:51:ac:f9:a3:66:30:c1:
     e6:dd:a4:b2:27:1f:c9:c6:8d:eb:18:25:ac:35:a3:13:70:a2:
     a5:30:32:a7

Osiris · August 4, 2022, 5:47pm

Hm, perhaps Cyberpanel just copies the cert to that location.. And the map file?

karllogue · August 4, 2022, 5:48pm

mail.360paintingofwilliamsoncounty.com /etc/letsencrypt/live/mail.360paintingofwilliamsoncounty.com/privkey.pem /etc/letsencrypt/live/mail.360paintingofwilliamsoncounty.com/fullchain.pem
mail.acmusicalexcellence.com /etc/letsencrypt/live/mail.acmusicalexcellence.com/privkey.pem /etc/letsencrypt/live/mail.acmusicalexcellence.com/fullchain.pem
mail.loguerhythm.com /etc/letsencrypt/live/mail.loguerhythm.com/privkey.pem /etc/letsencrypt/live/mail.loguerhythm.com/fullchain.pem
mail.createmyitsolutions.com /etc/letsencrypt/live/mail.createmyitsolutions.com/privkey.pem /etc/letsencrypt/live/mail.createmyitsolutions.com/fullchain.pem
mail.goodbyebots.com /etc/letsencrypt/live/mail.goodbyebots.com/privkey.pem /etc/letsencrypt/live/mail.goodbyebots.com/fullchain.pem