On Wed, May 13, 2026 at 07:49:39PM -0700, Doug Hardie wrote:
> >> I forced a renewal in case something at LetsEncrypt changed, but got
> >> the same response.
... what do the Let's Encrypt files that have to do with
"/www/certs/mail.pem" ...
> >> sermons# openssl verify fullchain.pem
> >> CN=mail.sermon-archive.info
> >> error 20 at 0 depth lookup: unable to get local issuer certificate
> >> error fullchain.pem: verification failed
That's not the right way check the EE certificate in a chain file,
you need to *also* specify the same chain file as a source of
(a priori) untrusted intermediate CAs:
$ posttls-finger -cC -lsecure "[mail.sermon-archive.info]" > /tmp/chain.pem
$ openssl verify -show_chain -untrusted /tmp/chain.pem -trusted
/etc/pki/tls/cert.pem /tmp/chain.pem
/tmp/chain.pem: OK
Chain:
depth=0: CN=mail.sermon-archive.info (untrusted)
depth=1: C=US, O=Let's Encrypt, CN=E7 (untrusted)
depth=2: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Your Let's Encrypt chain is fine.
> sermons# sh
> # for f in cert.pem chain.pem fullchain.pem
> do
> printf -- "--- File: %s\n" "$f"
> openssl crl2pkcs7 -nocrl -certfile "$f" |
> openssl pkcs7 -print_certs -noout
> done
> --- File: cert.pem
> subject=CN=mail.sermon-archive.info
> issuer=C=US, O=Let's Encrypt, CN=E7
>
> --- File: chain.pem
> subject=C=US, O=Let's Encrypt, CN=E7
> issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1
>
> --- File: fullchain.pem
> subject=CN=mail.sermon-archive.info
> issuer=C=US, O=Let's Encrypt, CN=E7
>
> subject=C=US, O=Let's Encrypt, CN=E7
> issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1
As expected, but what do these have to do with the "mail.pem" file?
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
