On Wed, May 13, 2026 at 03:48:17PM -0700, Doug Hardie via Postfix-users wrote:
> May 13 12:11:56 mail postfix/smtpd[34387]: connect from
> mail114.mxf.infra.improv
> mx.com[5.135.41.48]
> May 13 12:11:56 mail postfix/smtpd[34387]: SSL_accept error from
> mail114.mxf.inf
> ra.improvmx.com[5.135.41.48]: -1
> May 13 12:11:56 mail postfix/smtpd[34387]: warning: TLS library problem:
> error:0
> A000412:SSL routines::ssl/tls alert bad
> certificate:/usr/src/crypto/openssl/ssl/
> record/rec_layer_s3.c:916:SSL alert number 42:
Log messages about alerts are about receiving a TLS-protocol notice from
the peer about a problem the peer has detected. So yes, your
certificate.
> I guessed that the offending certificate is mine. The postconf -n
> smtpd output is:
>
> mail# postconf -n | grep smtpd_tls
> smtpd_tls_cert_file = /www/certs/mail.pem
> smtpd_tls_key_file = /www/certs/mail.key
> smtpd_tls_loglevel = 1
> smtpd_tls_security_level = may
How is this related to the Let's encrypt files mentioned below?
> openssl verify /www/certs/mail.pem used to work. Today it gives
>
> CN=mail.sermon-archive.info
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error /www/certs/mail.pem: verification failed
The end-entity (depth 0) certificate does not have an issuer in the same
file, so a single certificate, not a chain.
> cert.pem contains both the server cert and the chain.
You may think so, but the evidence indicates otherwise.
> I forced a renewal in case something at LetsEncrypt changed, but got
> the same response.
See above, what does that have to do with "/www/certs/mail.pem"...
> Using the files directly from certbot, I get the following:
>
> sermons# openssl verify fullchain.pem
> CN=mail.sermon-archive.info
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error fullchain.pem: verification failed
This file contains no issuer for the end-entity certificate.
> sermons# openssl verify -CAfile chain.pem cert.pem
> cert.pem: OK
The chain.pem file does contain the missing issuer certificates.
> It appears that something has changed in openssl.
No. It appears that something is wrong with "fullchain.pem".
> Is this the cause of the postfix problem? Will changing
> smtpd_cert_file to smtpd_chain_file fix it? Thanks,
You haven't posted the content of the "cert.pem", "fullchain.pem"
or "chain.pem" files. If you're really worried about posting
the full public-key certificate objects. Try (as a user who
can read the files in question):
for f in cert.pem chain.pem fullchain.pem
do
printf -- "--- File: %s\n" "$f"
openssl crl2pkcs7 -nocrl -certfile "$f" |
openssl pkcs7 -print_certs -noout
done
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
