On 2021-07-18 15:47, Jeremy Harris wrote: > On 18/07/2021 15:50, Andreas Metzler via Exim-users wrote: >> I am attaching both server and client logs. (Timezones are different, >> UTC vs. CEST).
> Looks like it was an EC connection. The server seems to have had a pair > of cert files; one has "rsa" in the name so I'm guessing the other has > an EC cert? Hello Jeremy, yes that is correct. > What is in that file, and what would the full chain of certs from > CA to leaf be? The client is using the "system" CA bundle, > and saying "certificate issuer is unknown" - I'm wondering > if the knowelege of a cert intermediate between CA and leaf > is missing somewhere along the line. I do not think so. Both exim 4.94.2 and gnutls-cli and s_client[1] are happy with the cert setup. It is a straightforward Let's Encrypt chain. 0 s:CN = vsrv21575.customer.vlinux.de i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 As it is a public server where one can grab the certs with e.g. gnutls-cli or s_client -showcerts I am not posting more detail for the sake of brevity. I can setup a /dev/null mailbox for testing if you want me to. cu Andreas [1] gnutls-cli --starttls-proto smtp vsrv21575.customer.vlinux.de openssl s_client -connect vsrv21575.customer.vlinux.de:25 -starttls smtp -verify_return_error -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
