Root Certificate

RichE · November 20, 2023, 6:04pm

Hi

I am having a problem with my email server and their tech (which have been great) have suggested to find help here, this is what they have said "The snippet shows an "untrusted root" error. It may be with the root certificate and not the actual certificate being used. You can check with the Let's Encrypt group for possible troubleshooting.

The error that coming up which is pointing to the certificate
Mon 2023-11-20 16:23:37.736: --> STARTTLS
Mon 2023-11-20 16:23:39.098: <-- 220 Ready to start TLS
Mon 2023-11-20 16:23:39.266: SSL negotiation successful (TLS 1.2, 255 bit key exchange, 256 bit AES encryption)
Mon 2023-11-20 16:23:39.278: SSL certificate is not valid (not signed by recognized CA)

Common name: mail.nova-security.co.uk
SANs: mail.nova-security.co.uk
Valid from November 20, 2023 to February 18, 2024
Serial Number: 04eb611bb2530dc25dd739c9c81bc56d53e1
Signature Algorithm: sha256WithRSAEncryption
Issuer: R3

Common name: R3
Organization: Let's Encrypt
Location: US
Valid from September 3, 2020 to September 15, 2025
Serial Number: 912b084acf0c18a753f6d62e25a75f5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: ISRG Root X1

Bruce5051 · November 20, 2023, 6:13pm

Hello @RichE, welcome to the Let's Encrypt community.

Here is the chain I presently see being served

$ openssl s_client -showcerts -servername mail.nova-security.co.uk -connect mail.nova-security.co.uk:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.nova-security.co.uk
verify return:1
---
Certificate chain
 0 s:CN = mail.nova-security.co.uk
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 20 11:37:33 2023 GMT; NotAfter: Feb 18 11:37:32 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE/jCCA+agAwIBAgISBOthG7JTDcJd1znJyBvFbVPhMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzExMjAxMTM3MzNaFw0yNDAyMTgxMTM3MzJaMCMxITAfBgNVBAMT
GG1haWwubm92YS1zZWN1cml0eS5jby51azCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALJDV53ItQa2ZO/wpgqObbritSvqeD/Obne+MEgcp8Gt02iX3OzA
akw6fNXK+DJlc4mFic3+XKkyTnQXuwrHjUmH7/ZD2HS8ISllgnkwxJAQcEj9frow
4yg/ix1m0Q7b77GcG3pxv/bQSI/xwktgrCd+0qQTW8Pq4Zsh3TbOgBPpLNMUMK58
XwAe1ONW18o+xvT+8wFptwS/LjnsoThPa6xv25+nSDENYs+QKEIXxiYwe11hbd09
5Sq0dOkOhQ4RlbW1seTrhWTMr4j7GH8QKWFzHzFAoTC5hxk1ps5mAFjoQkAGPkUz
hTCLzZdA+2dqH19qur8r+3Abb8GYb4f56AUCAwEAAaOCAhswggIXMA4GA1UdDwEB
/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQUHDG20dUYhpeZCr0w+mFJG/T7aPYwHwYDVR0jBBgwFoAU
FC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzAB
hhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5p
LmxlbmNyLm9yZy8wIwYDVR0RBBwwGoIYbWFpbC5ub3ZhLXNlY3VyaXR5LmNvLnVr
MBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYA
O1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGL7LxtTAAABAMARzBF
AiBKe6m+9RMc0LL9GBV5yPa40YWgY/E1xtw2G5ClPM834wIhALCHzgHxJVqef83z
vxFu/aMQaBqswKTnWSOwp7nW/575AHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7D
UUhZRnEftZsAAAGL7LxtUAAABAMASDBGAiEA5k37Fzvq46JOVF5tvJ3CC/1xPjFY
TkwQCMTHFEkylcQCIQC4SABvaRaGq0lQpTt49zHbpUDYOiUXNgzRPkdovkXn5jAN
BgkqhkiG9w0BAQsFAAOCAQEAN3cGeKCouTqslK8jJmp+aQxq3YmmRZwrQQoSwXd5
oQDmh9+bOsTuWRNFgTHtZGMllPcNAStF7H0SvwQ/so6mXFPMH0IyjBC/vfF/p40k
duhCq7I4Q8Xmp7M54lh7A1WxmRQMM+QfowdBvgVAtDKXIbcIL2UOfRwbgYimDA/u
/pGoLdxCVSsi0GtaDOUHL1Y/tGYadmXWsSffuMYEkcY8WuF5L+FTl9eyDii2hHAF
bs+6/IiPtK84TXtx8Qrc5eER9t96Fd4b3u5oYvg/r4OVsqTsHQ64j2ojmY5YUOnt
8dXhh8a3ReMmtjQfH03Fi7R2kYnTMOw8nPNWrBrxcK9x3A==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mail.nova-security.co.uk
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3046 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F14A00006805A29AD11887D9292D0879D8F6A07E38B92B778157F90C5888C7EF
    Session-ID-ctx:
    Master-Key: 4289A32A28C42628465F6224B62CE5332AED9C08801BE0A742D752EE7A5714FAD00283F9A3BBB28E5B5D0A109E583EA3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1700503790
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

Bruce5051 · November 20, 2023, 6:16pm

And the root certificate looks fine here too SSL Server Test: mail.nova-security.co.uk (Powered by Qualys SSL Labs)

Bruce5051 · November 20, 2023, 6:21pm

All Good Port 443 for HTTPS https://decoder.link/sslchecker/mail.nova-security.co.uk/443
SMPT Port 465 and Port 587: What's the Difference? | SendGrid
All Good Port 465 https://decoder.link/sslchecker/mail.nova-security.co.uk/465
Issues Port 587 https://decoder.link/sslchecker/mail.nova-security.co.uk/587

So for mail which ports are of importance and in use for your server?

Bruce5051 · November 20, 2023, 6:34pm

What is running that produces this SSL certificate is not valid (not signed by recognized CA)?

RichE · November 21, 2023, 6:48am

Thanks for the replies and the starting points, its a MDaemon mail server will have to check port 587 I am sure its on the list required ports, but never needed to use STARTTLS before.

ghen · November 22, 2023, 4:25pm

Except that this advise is obsolete;
RFC 8314 "un-obsoleted" port 465 and now recommends it over STARTTLS on port 587 for e-mail submission. See specifically section 3.3.

(Same for SSL ports 993 and 995 now recommended instead of their STARTTLS equivalents.)

This is due to security issues with STARTTLS, see https://nostarttls.secvuln.info/.

Bruce5051 · November 22, 2023, 5:05pm

Thanks @ghen

MikeMcQ · December 7, 2023, 3:10pm

Does it only fail using port 587? Because that is using a different cert

openssl s_client -connect mail.nova-security.co.uk:587 -starttls smtp
---
Certificate chain
 0 s:O = WatchGuard_Technologies, OU = Fireware, CN = https.proxy.nul
   i:O = WatchGuard_Technologies, OU = Fireware, CN = Fireware HTTPS Proxy (SN D0FF04E8180A4 2019-09-01 03:34:38 GMT) CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  2 03:35:05 2019 GMT; NotAfter: Aug 29 03:35:05 2029 GMT
 1 s:O = WatchGuard_Technologies, OU = Fireware, CN = Fireware HTTPS Proxy (SN D0FF04E8180A4 2019-09-01 03:34:38 GMT) CA
   i:O = WatchGuard_Technologies, OU = Fireware, CN = Fireware HTTPS Proxy (SN D0FF04E8180A4 2019-09-01 03:34:38 GMT) CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  2 03:35:00 2019 GMT; NotAfter: Aug 29 03:35:00 2029 GMT

tdebrecini · December 8, 2023, 2:39pm

The SSL/TLS handshake is failing, since the client is not trusting the Let's Encrypt Root and Intermediate CA.
Check with the email app (mDaemon) support guys how to update the trusted Root and Intermediates CA store.
The mDaemon is a Windows based application - what version of Windows are you running it on? Most probably, it relies on the Windows Cert Store and all you have to do is update it manually, if it is an outdated OS.

rg305 · December 8, 2023, 3:17pm

Then you may need to trust your proxy:

system · January 7, 2024, 3:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Chain has the wrong root certificate (update: no it doesn't) Help	4	438	October 14, 2023
Struggling to get new ISRG root certificate to be recognized in Ubuntu 16 Help	7	7397	November 15, 2021
I have just found this: - https://mjtsai.com/blog/2021/09/24/some-web-sites-will-stop-working-with-el-capitan-and-older/ The Let’s Encrypt Root Certificate, the IdentTrust DST Root CA X3 certificate, has expired Help	5	462	May 13, 2022
Certificate has expired Help	5	1079	November 11, 2021
Broken links on doc page for DST Root CA X3 Expiration Site Feedback	7	2338	May 9, 2021

Root Certificate

Related topics