Since end of September: Mac devices show cert problem on my domain, but not other lets'encrypt encrypted domains

I get that server.crt as it is every 3 months automatically from le32.exe- manually deleted the root cert out of the 3 in 1 server crt but didn't change anything?

If you have LE32 v0.38, try using this parameter:
-alternative <num> : Save an alternative ceritifcate (if available).
[which may help to create the shorter chain for you automatically]

2 Likes

Cool do you have a link to an overview of all available LE32 parameters? Couldn't find this doku yet

But changing that one manually didn't have any effect anyway

This is all I have:
Releases · do-know/Crypt-LE · GitHub
Note: LE32/64 are provided (compiled and maintained) by a third party (not by LE).

Which <num> did you try?

2 Likes

I manually tried removing the last (cross-signed root) cert from the file with those three certs.

Then I would suggest trying another CA.
Maybe that trust path will work better with your use case.

2 Likes

Hmm

There is only 1 active intermediate cert: Vertrauenskette - Let's Encrypt - Freie SSL/TLS Zertifikate

Regards

Yes.
Technically R4 can also be used as intermediate; But it is just there in case something goes terribly wrong with R3.

2 Likes

Maybe I misunderstand the problem but the certificate returned by mail.schagerer.com does not look right:

openssl s_client -connect mail.schagerer.com:465

CONNECTED(00000003)
depth=0 CN = webforum.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = webforum.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=webforum.eu
   i:/C=US/O=Let's Encrypt/CN=R3
---
2 Likes

That is just the leaf certificate. Your mail server is not sending the same chain as your http server which sends this:

openssl s_client -connect support.webboard.org:443 -servername support.webboard.org 

Certificate chain
 0 s:/CN=webforum.eu
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

Notice your mail server sends just one cert, this server sends two ending in ISRG Root X1 (the new "short chain").

2 Likes

I get that server.crt as it is every 3 months automatically from le32.exe- there are 3 certis inside (leaf, inter, root), apache and hmailserver both use the same server.crt. Apache additionally has the intermediate cert configured in htaccess. So from the 3-in-1 server crt seems to be only the leaf cert considered both by hmailserver and apache (since the httpserver seems to not send the root cert)?

I extracted all 3 certs of the server crt file into separate files and when I open the crt file attrubutes they and see their properties are the 3 of the new chain.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.