[Mdaemon-L] Sectigo SSL Cert terbaru

[Syafril Hermansyah via Mdaemon-L]

On 3/3/26 17:13, Ivan Leonardo wrote:
Sudah ketemu Pak Problem dan solusinya :
Problem :
di Trusted Root Certification Authorities folder : ada 2 certificate R46 
sectigo, 1 yg selfsigned by sectigo dan 1 lagi CrossSigned oleh UserTrust
Harus pakai yg CrossSigned

Solusi :
Saya delete cert R46 yg selfsigned dan restart MD services, sy coba new 
installed TB di laptop lain dan test setting account, POP3 sudah aman 
tidak minta add exception lagi.
Sptnya ini sectigo ada perubahan di system mereka ato gimana ga ngerti, 
yg dikasih saat create SSL Cert cuman R46 yg selfsigned, utk yg 
CrossSigned harus cari sendiri di webnya sectigo

Bisa tolong test command openssl -connect dari linux pak ? utk port 143, 
587, 993, 465 seharusnya sudah berhasil sih, cert chain sudah lengkap 
semua.

port 143/imap-tls masih belum ok.
port 587/msa-tls masih/sudah ok
port 993/imap-ssl masih/sudah ok.
port 465/smtp-ssl masih/sudah ok
port 443/webmail-ssl/https masih belum ok.

Kalau tadi dari windows saya test pakai openssl command plus -CAFile, 
sudah berhasil sih.

Test nya dari LAN dan internet (koneksi data selular)?

$ openssl s_client -starttls smtp -connect webmail.pttdp.com:587
CONNECTED(00000003)
depth=2 C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
verify return:1
depth=1 C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
verify return:1
depth=0 CN = webmail.pttdp.com
verify return:1
---
Certificate chain
 0 s:CN = webmail.pttdp.com
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 27 00:00:00 2026 GMT; NotAfter: Mar 30 23:59:59 
2027 GMT
 1 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Mar 21 23:59:59 
2036 GMT
 2 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST 
Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Jan 18 23:59:59 
2038 GMT
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 
DD42C6A593636366508470AE83B965DAC2D16A8F01219554F1160DE79469000A
    Session-ID-ctx:
    Resumption PSK: 
8B2D55CFE4A08160A43F1B362276A6F2372E871A4FB80E801FDD5D4A0C2DC92E8D401FF0C71548E2351D95E0AA36B81E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 36000 (seconds)
    TLS session ticket:
    0000 - 90 1f 00 00 01 d2 d4 4f-b7 a7 cb 55 30 fb c7 b4 
.......O...U0...
    0010 - 82 cb 04 27 45 24 1f 1b-a4 b6 7b 46 56 3d ce 25 
...'E$....{FV=.%

    Start Time: 1772579544
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

$ openssl s_client -starttls smtp -connect webmail.pttdp.com:143
CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...


$ openssl s_client -connect webmail.pttdp.com:465
CONNECTED(00000003)
depth=2 C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
verify return:1
depth=1 C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
verify return:1
depth=0 CN = webmail.pttdp.com
verify return:1
---
Certificate chain
 0 s:CN = webmail.pttdp.com
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 27 00:00:00 2026 GMT; NotAfter: Mar 30 23:59:59 
2027 GMT
 1 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Mar 21 23:59:59 
2036 GMT
 2 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST 
Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Jan 18 23:59:59 
2038 GMT
---
read R BLOCK
220 webmail.pttdp.com ESMTP Wed, 04 Mar 2026 06:14:14 +0700


$ openssl s_client -connect webmail.pttdp.com:993
CONNECTED(00000003)
depth=2 C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
verify return:1
depth=1 C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
verify return:1
depth=0 CN = webmail.pttdp.com
verify return:1
---
Certificate chain
 0 s:CN = webmail.pttdp.com
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 27 00:00:00 2026 GMT; NotAfter: Mar 30 23:59:59 
2027 GMT
 1 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication CA DV R36
   i:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
   a:PKEY: rsaEncryption, 3072 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Mar 21 23:59:59 
2036 GMT
 2 s:C = GB, O = Sectigo Limited, CN = Sectigo Public Server 
Authentication Root R46
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST 
Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 22 00:00:00 2021 GMT; NotAfter: Jan 18 23:59:59 
2038 GMT
---
read R BLOCK
* OK webmail.pttdp.com IMAP4rev1 ready

$ openssl s_client -connect webmail.pttdp.com:443
4077BAEEE37F0000:error:8000006E:system library:BIO_connect:Connection 
timed out:../crypto/bio/bio_sock2.c:114:calling connect()
4077BAEEE37F0000:error:10000067:BIO routines:BIO_connect:connect 
error:../crypto/bio/bio_sock2.c:116:
connect:errno=110



--
syafril
--------
Syafril Hermansyah

MDaemon-L Moderator, run MDaemon 26.0.0 Beta D
Mohon tidak kirim private mail (atau cc:) untuk masalah MDaemon.

Anda tidak membuat suatu produk untuk diri Anda sendiri. Anda perlu 
mengetahui apa yang diinginkan orang lain dan membuat produk tersebut 
untuk mereka.
        -- Walt Disney


--
--[mdaemon-l]----------------------------------------------------------
Milis ini untuk Diskusi antar pengguna MDaemon Mail Server di Indonesia

Netiket: https://wiki.openstack.org/wiki/MailingListEtiquette
Arsip: http://mdaemon-l.dutaint.com
Dokumentasi : http://mdaemon.dutaint.com
Berlangganan: Kirim mail ke mdaemon-l-subscr...@dutaint.com
Henti Langgan: Kirim mail ke mdaemon-l-unsubscr...@dutaint.com
Versi terakhir: MDaemon 25.5.2, SecurityGateway 12.0.0