-- Doug
> On May 13, 2026, at 20:54, Viktor Dukhovni via Postfix-users > <[email protected]> wrote: > > On Wed, May 13, 2026 at 07:49:39PM -0700, Doug Hardie wrote: > >>>> I forced a renewal in case something at LetsEncrypt changed, but got >>>> the same response. > > ... what do the Let's Encrypt files that have to do with > "/www/certs/mail.pem" ... > >>>> sermons# openssl verify fullchain.pem >>>> CN=mail.sermon-archive.info >>>> error 20 at 0 depth lookup: unable to get local issuer certificate >>>> error fullchain.pem: verification failed > > That's not the right way check the EE certificate in a chain file, > you need to *also* specify the same chain file as a source of > (a priori) untrusted intermediate CAs: > > $ posttls-finger -cC -lsecure "[mail.sermon-archive.info]" > /tmp/chain.pem > $ openssl verify -show_chain -untrusted /tmp/chain.pem -trusted > /etc/pki/tls/cert.pem /tmp/chain.pem > /tmp/chain.pem: OK > Chain: > depth=0: CN=mail.sermon-archive.info (untrusted) > depth=1: C=US, O=Let's Encrypt, CN=E7 (untrusted) > depth=2: C=US, O=Internet Security Research Group, CN=ISRG Root X1 > > Your Let's Encrypt chain is fine. > >> sermons# sh >> # for f in cert.pem chain.pem fullchain.pem >> do >> printf -- "--- File: %s\n" "$f" >> openssl crl2pkcs7 -nocrl -certfile "$f" | >> openssl pkcs7 -print_certs -noout >> done >> --- File: cert.pem >> subject=CN=mail.sermon-archive.info >> issuer=C=US, O=Let's Encrypt, CN=E7 >> >> --- File: chain.pem >> subject=C=US, O=Let's Encrypt, CN=E7 >> issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 >> >> --- File: fullchain.pem >> subject=CN=mail.sermon-archive.info >> issuer=C=US, O=Let's Encrypt, CN=E7 >> >> subject=C=US, O=Let's Encrypt, CN=E7 >> issuer=C=US, O=Internet Security Research Group, CN=ISRG Root X1 > > As expected, but what do these have to do with the "mail.pem" file? mail.pem is a copy of fullchain.pem _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
