> On May 13, 2026, at 18:36, Viktor Dukhovni via Postfix-users > <[email protected]> wrote: > > On Wed, May 13, 2026 at 03:48:17PM -0700, Doug Hardie via Postfix-users wrote: > >> May 13 12:11:56 mail postfix/smtpd[34387]: connect from >> mail114.mxf.infra.improv >> mx.com[5.135.41.48] >> May 13 12:11:56 mail postfix/smtpd[34387]: SSL_accept error from >> mail114.mxf.inf >> ra.improvmx.com[5.135.41.48]: -1 >> May 13 12:11:56 mail postfix/smtpd[34387]: warning: TLS library problem: >> error:0 >> A000412:SSL routines::ssl/tls alert bad >> certificate:/usr/src/crypto/openssl/ssl/ >> record/rec_layer_s3.c:916:SSL alert number 42: > > Log messages about alerts are about receiving a TLS-protocol notice from > the peer about a problem the peer has detected. So yes, your > certificate. > > >> I guessed that the offending certificate is mine. The postconf -n >> smtpd output is: >> >> mail# postconf -n | grep smtpd_tls >> smtpd_tls_cert_file = /www/certs/mail.pem >> smtpd_tls_key_file = /www/certs/mail.key >> smtpd_tls_loglevel = 1 >> smtpd_tls_security_level = may > > How is this related to the Let's encrypt files mentioned below?
I don't know but wanted to include anything that might be helpful > >> openssl verify /www/certs/mail.pem used to work. Today it gives >> >> CN=mail.sermon-archive.info >> error 20 at 0 depth lookup: unable to get local issuer certificate >> error /www/certs/mail.pem: verification failed > > The end-entity (depth 0) certificate does not have an issuer in the same > file, so a single certificate, not a chain. > >> cert.pem contains both the server cert and the chain. > > You may think so, but the evidence indicates otherwise. > >> I forced a renewal in case something at LetsEncrypt changed, but got >> the same response. > > See above, what does that have to do with "/www/certs/mail.pem"... > >> Using the files directly from certbot, I get the following: >> >> sermons# openssl verify fullchain.pem >> CN=mail.sermon-archive.info >> error 20 at 0 depth lookup: unable to get local issuer certificate >> error fullchain.pem: verification failed > > This file contains no issuer for the end-entity certificate. > >> sermons# openssl verify -CAfile chain.pem cert.pem >> cert.pem: OK > > The chain.pem file does contain the missing issuer certificates. > >> It appears that something has changed in openssl. > > No. It appears that something is wrong with "fullchain.pem". > >> Is this the cause of the postfix problem? Will changing >> smtpd_cert_file to smtpd_chain_file fix it? Thanks, > > You haven't posted the content of the "cert.pem", "fullchain.pem" > or "chain.pem" files. If you're really worried about posting > the full public-key certificate objects. Try (as a user who > can read the files in question): > > for f in cert.pem chain.pem fullchain.pem > do > printf -- "--- File: %s\n" "$f" > openssl crl2pkcs7 -nocrl -certfile "$f" | > openssl pkcs7 -print_certs -noout > done > sermons# sh # for f in cert.pem chain.pem fullchain.pem > do > printf -- "--- File: %s\n" "$f" > openssl crl2pkcs7 -nocrl -certfile "$f" | > openssl pkcs7 -print_certs -noout > done --- File: cert.pem subject=CN=mail.sermon-archive.info issuer=C=US, O=Let's Encrypt, CN=E7 --- File: chain.pem subject=C=US, O=Let's Encrypt, CN=E7 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 --- File: fullchain.pem subject=CN=mail.sermon-archive.info issuer=C=US, O=Let's Encrypt, CN=E7 subject=C=US, O=Let's Encrypt, CN=E7 issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 -- Doug _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
