Am 08.12.2021 um 01:46 schrieb Robert L Mathews:
On 12/7/21 2:49 PM, Alexander Dalloz wrote:
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
That error's happening because you (Alexander) are using an old openssl
version that has the problem described on:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
That's not the problem that the original poster is having unless
Thunderbird also has the same problem, which it may; see:
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermediate-with-firefox-or-thunderbird/140049
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-certificates-to-mozilla-applications/
In any case, this works fine with OpenSSL 1.1 or later:
$ openssl s_client -connect mail.sizzelicks.com:993
...
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE
LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
Confirmed, my fault.
# openssl s_client -connect 194.163.45.150:993
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = aecperformance.com
verify return:1
---
Certificate chain
0 s:CN = aecperformance.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
Alexander