Sendmail TLS config errors - what's needed?

Hello

I'm running sendmail 8.15.2 on openSUSE, trying to secure it with lets encrypt signed certificates .

it isn't working though; instead i'm getting

verify error:num=20:unable to get local issuer certificate

...when trying to establish the connection.

certificates were acquired with:

# certbot certonly --standalone --standalone --standalone-supported-challenges tls-sni-01

and the files got placed in the /etc/certbot hierachy (as expected ?)

the certificate config in sendmail.mc looks like this:

define(`SSL_DIR',		`/etc/ssl')dnl
define(`CERT_DIR',		`/etc/certbot/live/outpost.yseda.com')dnl
define(`confCACERT_PATH',	SSL_DIR`/certs')dnl
define(`confCACERT',		CERT_DIR`/fullchain.pem')dnl
define(`confSERVER_CERT',	CERT_DIR`/cert.pem')dnl
define(`confSERVER_KEY',	CERT_DIR`/privkey.pem')dnl
define(`confCLIENT_CERT',	CERT_DIR`/cert.pem')dnl
define(`confCLIENT_KEY',	CERT_DIR`/privkey.pem')dnl
define(`confCRL',SSL_DIR`/crl/cacert.org.revoke.crl')dnl

I've also tried using chain.pem as the confCACERT & got the same result

I have the following files in /etc/ssl/certs:

-rw-r--r-- 1 root users 1967 Sep 16 14:09 isrgrootx1.pem
-rw-r--r-- 1 root users 1675 Sep 16 14:09 lets-encrypt-x1-cross-signed.pem
-rw-r--r-- 1 root users 1675 Sep 16 14:09 lets-encrypt-x2-cross-signed.pem
-rw-r--r-- 1 root users 1647 Sep 16 14:09 lets-encrypt-x3-cross-signed.pem
-rw-r--r-- 1 root users 1647 Sep 16 14:09 lets-encrypt-x4-cross-signed.pem

the full output from openssl s_client looks like this:

CONNECTED(00000003)
depth=1 /CN=Fake LE Intermediate X1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=outpost.yseda.com
   i:/CN=Fake LE Intermediate X1
 1 s:/CN=Fake LE Intermediate X1
   i:/CN=Fake LE Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF5zCCBM+gAwIBAgITAPqH7ztvDi0iSkVZ9agv9ok5LTANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNjA5MTUw
NDA3MDBaFw0xNjEyMTQwNDA3MDBaMBwxGjAYBgNVBAMTEW91dHBvc3QueXNlZGEu
Y29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwwMTkduw+IUJCV57
tsEf5P4rx/LGzkhYdxb/BS40JHHgp9i3WG2MR7ZdsHE2oM0y0o+62WsEGCoqQuhx
Yd6RjTQXnr8vcIlKAd8ZgrCTZ4kbf5bvaL1lBJbmNU5Cywc/VVyDM3YHdDLHLexx
Vse4yJb73EVWRkItwUaRNwG9vkonvhqJ+bBzEh7JoOqw0jFCzKIDUjTu8vNDNiKf
B+bYYdfknZJWN2Yqe9aLcSEttlyqBd4xWG6Hs8zv/tWbl34w//Rza2eD4tYdele4
McnK4Qpf60ubi0X5DAaacm3GzWZ7yQDCRMMyW21SzhG2ITK6sd2Dd3JyPRBfPTXW
HFFGRgoxTQ/gtXtf3rjGK1vRBCCa28SYirNeWoaa6D7kwyUMq5Mkhi0szejIXmfQ
5slEUEL54sULPJHQxtAoZ6Pc7K5Yt8iZm7Mu/N6PSbqqsND97n25vT9qC+5QbLhs
PQkm3cv3eXbDRfdx+81seF/oSsWJ8aydF0A8HWkMqrVMwvdmExBpzTe6AQDfoimO
r3jZQTr82XGrvHyhGHnBhxEsaVXdLA0TWzY1fqW8MaNFcc0pMfdkbZJehmB4QKD8
usN3JpoKiDNKwuwwZZGKx6/wLZXhRDREN3J+l5yxYS+J/AXkQRscJfbBek9HaRm9
5UD57KjVriTXchZzpxLF421+bJsCAwEAAaOCAhowggIWMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQUvnFpipa/QgRGulTC3fT3xiMcfJowHwYDVR0jBBgwFoAUwMwDRrlY
IMxccnDz4S7LIKb1aDoweAYIKwYBBQUHAQEEbDBqMDMGCCsGAQUFBzABhidodHRw
Oi8vb2NzcC5zdGctaW50LXgxLmxldHNlbmNyeXB0Lm9yZy8wMwYIKwYBBQUHMAKG
J2h0dHA6Ly9jZXJ0LnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnLzAcBgNVHREE
FTATghFvdXRwb3N0LnlzZWRhLmNvbTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB
5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
Y3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5
IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5
IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5k
IGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3
DQEBCwUAA4IBAQBKaZ/+TfJqzFvVdTpp9unlNL/r25He7Z4bSXbDg3wZCMMMFnHs
YRjhC0wH7uhy5jZrod4wJwJ2/crdtrwxMQ80x2WhWVo/Lbw+Znd9jfPRCaNw2q1L
876aaXgEX5bRtEHseY+GydY/Dtv1RPFVodIPYjfQvaiU6t4tRH1kIWrfuM/c2cSW
Eskk+YcB7KQKxXhARjsjw4DSWX3H1RdD6URLm7KXNKkMkcNFUgIIWGSRzG7Y/och
MkA3VDzmtdp8HleRpaQpEyiEJkEOsGIRkH+EJVQVJ9fUmzu9i1Yv129fBRUcsrbd
W6hyfChWi5a1Gq10mE6BgYfg66BRObMQ3HOg
-----END CERTIFICATE-----
subject=/CN=outpost.yseda.com
issuer=/CN=Fake LE Intermediate X1
---
Acceptable client certificate CA names
/CN=Fake LE Intermediate X1
---
SSL handshake has read 4356 bytes and written 503 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 9B77208AEF6153295A1ED5EC98C6088C2A262621825FB400138E00849BD8DB22
    Session-ID-ctx: 
    Master-Key: D9BA7A76ADDF1A10445F790AC1B1357C07D6AE08BF63E3E8088DADC3E51C172CD99785738D8011B541C52A2C87EBA9D8
    Key-Arg   : None
    Start Time: 1474001898
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 HELP

any suggestions ?

“Fake LE” is the development / testing CA operated by Let’s Encrypt for people either working on a client or on frameworks surrounding their use of Let’s Encrypt.

So that’s not a real trusted public CA. However it’s not obvious to me why your certificates were issued by this “fake” not the real thing. Did you do anything that might cause this?

Thanks for the reply - that definitely helps clear up the issue & satisfies my curiosity about why it was calling itself "Fake"... this is my first LetsEncrypt certificate so I assumed that was normal.

Since there's no openSUSE version of certbot on its homepage, I'm using the OBS version for Leap 42.1 from https://build.opensuse.org/package/show/home:ecsos:server/certbot

... turns out /etc/certbot/cli.ini has this bit in it...

# The staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory
# The productive server.
# server = https://acme-v01.api.letsencrypt.org/directory

setting the correct server & re-issuing the certs fixed the problem.

thanks