0 Members and 2 Guests are viewing this topic.
warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1544:SSL alert number 45:
I have a problem using smtpauth from my ecommerce platform.If I use mail.grannydriver.com I get an error:Quotewarning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:ssl/record/rec_layer_s3.c:1544:SSL alert number 45:If I use the server server.companiondriver.com I get no error. What is different about the two certs?
# openssl s_client -crlf -servername mail.grannydriver.com -connect mail.grannydriver.com:465CONNECTED(00000003)depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1verify return:1depth=1 C = US, O = Let's Encrypt, CN = R3verify return:1depth=0 CN = www.grannydriver.comverify return:1---Certificate chain 0 s:/CN=www.grannydriver.com i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3---Server certificate-----BEGIN CERTIFICATE-----MIIFVTCCBD2gAwIBAgISAy1c+T30Hq0QxG1AgMrf/eb2MA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTEyMDYxMzI2NDVaFw0yMjAzMDYxMzI2NDRaMB8xHTAbBgNVBAMTFHd3dy5ncmFubnlkcml2ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5LJVpmxdDxioBXUQs3CHZEHvrHK1iHgyZ3NDj2XMdNBkae1TroZgEiJHnb4wo2XRfCYlZu4iLCmd86sjnwO8xjI4VLQylvoKAYBllWgXUy9sc7nRYNo5pWiPfKshcAjyeHtIkfX9KFYnpBQqqGdgk+QPnZG89OPAZdhmasl0airdvZ3BR1KFpEDH9oEzOIN9lZxCuOTxAdUzbhDzI9svMwi6/NVHKEeNS/+5pO05tvCRZ7D41miDx62gFu5ayg+i3JtrucpLIMp6Vxd3koh6sN9Roq3QoZuCUU07Bs9UE7aYFpUcxeRclcu1B/ZATL6D4UK3YrkxaAS+BAmVXOt1BQIDAQABo4ICdjCCAnIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS1wiCY1ZdYvJu2oG9RJPJVtEP0CjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzBIBgNVHREEQTA/ghBncmFubnlkcml2ZXIuY29tghVtYWlsLmdyYW5ueWRyaXZlci5jb22CFHd3dy5ncmFubnlkcml2ZXIuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF9kCPPlQAABAMARjBEAiBkbDdF4bK2bsm5rbZR4gBM7R5piXWC3RC3FVMXhBsGzgIgaOgWnvdAOKUWgzZvSgt9gtE/3WrpA8ujgFvx69acX8oAdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAX2QI8+IAAAEAwBGMEQCIB+R6SC4K8ZnaLx2bfXgUR7cSF7tuSv/OlEGiO25hXi1AiBZz/CWruKNuk1t1wzFRAFwimFwxMa15syTkLg2RKawQzANBgkqhkiG9w0BAQsFAAOCAQEAgEtCO6DqfOVGCXueRtj3+6qfsL7xqPcsFn/yXDV1pronetiHpHMrhzew5C81guGslzHtLaMHbh6DGGE4hkdYgfGn7NF9EQ4DHO1muuvoJGeFef8SJOlnDRq2CY+qlgPct0uhuJAwGP6tpssr6KGD3Lnkd2qFcOa7dDVmzTelLQeJ1wBIZwYoHCJv+VhIEzBxNBuNf+UJjtGWbJGYhz/bcAUf4w+Kc1/1ED5na2w2jeTW6wnAAq/OQSulyYBEtVakt4D0jGkATrFf0C3yFMuBQkm37PGxVPFiF59wh4gqjinRwM88zNubu6A9Nlxi6yyqpGLVUUqO93bmmDb7yCRIpw==-----END CERTIFICATE-----subject=/CN=www.grannydriver.comissuer=/C=US/O=Let's Encrypt/CN=R3---No client certificate CA names sentPeer signing digest: SHA512Server Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 4751 bytes and written 445 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 521A1C63857F51F18148ECE661E290716C20E600C947D8FDA9F4FAA12FEB89CD Session-ID-ctx: Master-Key: 8F4BA1D0A7D47069BB9A1E006D4C5BDE7A2EFEF24022042038EDFD49DF272B53A4676C66407D018E3C2D76D593E2ED21 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - b7 51 6e e1 c0 5b 8e 4a-92 3d 84 6d ec be f2 fb .Qn..[.J.=.m.... 0010 - be 9f 39 4e 6c 15 70 93-a5 e3 59 32 cb f9 fa bc ..9Nl.p...Y2.... 0020 - 51 d6 8c 21 88 64 da d8-1d bc f3 02 d9 6d f5 bc Q..!.d.......m.. 0030 - 90 62 d0 a6 f9 03 52 c5-c3 b1 b5 30 37 68 e2 f3 .b....R....07h.. 0040 - 6d 39 97 f8 b2 51 ab 20-4e c0 99 2d b2 61 32 7b m9...Q. N..-.a2{ 0050 - 0e a1 2a ad 66 8e 83 1b-08 5c d2 e3 99 69 0b 03 ..*.f....\...i.. 0060 - 66 fc d1 fb d0 a2 33 c9-47 27 d1 da 2f 4a a6 11 f.....3.G'../J.. 0070 - fa a0 59 4c 0e 5f 41 dd-80 cc f5 a8 c0 bc e3 74 ..YL._A........t 0080 - 7a 31 44 96 94 4b b5 29-cf e4 0c 4b ad 58 af f7 z1D..K.)...K.X.. 0090 - a3 68 4d 2a 40 2a d4 d2-57 99 38 e0 8c d1 c1 d7 .hM*@*..W.8..... 00a0 - 72 28 20 67 8c ca ff 68-68 ab 01 be 48 80 9c 44 r( g...hh...H..D 00b0 - c1 b6 49 12 bb 99 9a 81-8e b5 85 de 9e 57 e2 b1 ..I..........W.. Start Time: 1639091792 Timeout : 300 (sec) Verify return code: 0 (ok)---220 server.companiondriver.com ESMTP Postfixquit221 2.0.0 Byeclosed
Your server is responding with domain "www.grannydriver.com", not "mail.grannydriver.com":Code: [Select]# openssl s_client -crlf -servername mail.grannydriver.com -connect mail.grannydriver.com:465CONNECTED(00000003)depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1verify return:1depth=1 C = US, O = Let's Encrypt, CN = R3verify return:1depth=0 CN = www.grannydriver.comverify return:1---Certificate chain 0 s:/CN=www.grannydriver.com i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3---Server certificate-----BEGIN CERTIFICATE-----MIIFVTCCBD2gAwIBAgISAy1c+T30Hq0QxG1AgMrf/eb2MA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTEyMDYxMzI2NDVaFw0yMjAzMDYxMzI2NDRaMB8xHTAbBgNVBAMTFHd3dy5ncmFubnlkcml2ZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5LJVpmxdDxioBXUQs3CHZEHvrHK1iHgyZ3NDj2XMdNBkae1TroZgEiJHnb4wo2XRfCYlZu4iLCmd86sjnwO8xjI4VLQylvoKAYBllWgXUy9sc7nRYNo5pWiPfKshcAjyeHtIkfX9KFYnpBQqqGdgk+QPnZG89OPAZdhmasl0airdvZ3BR1KFpEDH9oEzOIN9lZxCuOTxAdUzbhDzI9svMwi6/NVHKEeNS/+5pO05tvCRZ7D41miDx62gFu5ayg+i3JtrucpLIMp6Vxd3koh6sN9Roq3QoZuCUU07Bs9UE7aYFpUcxeRclcu1B/ZATL6D4UK3YrkxaAS+BAmVXOt1BQIDAQABo4ICdjCCAnIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS1wiCY1ZdYvJu2oG9RJPJVtEP0CjAfBgNVHSMEGDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3JnLzBIBgNVHREEQTA/ghBncmFubnlkcml2ZXIuY29tghVtYWlsLmdyYW5ueWRyaXZlci5jb22CFHd3dy5ncmFubnlkcml2ZXIuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIEAgSB8wSB8ADuAHUAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF9kCPPlQAABAMARjBEAiBkbDdF4bK2bsm5rbZR4gBM7R5piXWC3RC3FVMXhBsGzgIgaOgWnvdAOKUWgzZvSgt9gtE/3WrpA8ujgFvx69acX8oAdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAAAX2QI8+IAAAEAwBGMEQCIB+R6SC4K8ZnaLx2bfXgUR7cSF7tuSv/OlEGiO25hXi1AiBZz/CWruKNuk1t1wzFRAFwimFwxMa15syTkLg2RKawQzANBgkqhkiG9w0BAQsFAAOCAQEAgEtCO6DqfOVGCXueRtj3+6qfsL7xqPcsFn/yXDV1pronetiHpHMrhzew5C81guGslzHtLaMHbh6DGGE4hkdYgfGn7NF9EQ4DHO1muuvoJGeFef8SJOlnDRq2CY+qlgPct0uhuJAwGP6tpssr6KGD3Lnkd2qFcOa7dDVmzTelLQeJ1wBIZwYoHCJv+VhIEzBxNBuNf+UJjtGWbJGYhz/bcAUf4w+Kc1/1ED5na2w2jeTW6wnAAq/OQSulyYBEtVakt4D0jGkATrFf0C3yFMuBQkm37PGxVPFiF59wh4gqjinRwM88zNubu6A9Nlxi6yyqpGLVUUqO93bmmDb7yCRIpw==-----END CERTIFICATE-----subject=/CN=www.grannydriver.comissuer=/C=US/O=Let's Encrypt/CN=R3---No client certificate CA names sentPeer signing digest: SHA512Server Temp Key: ECDH, P-256, 256 bits---SSL handshake has read 4751 bytes and written 445 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 521A1C63857F51F18148ECE661E290716C20E600C947D8FDA9F4FAA12FEB89CD Session-ID-ctx: Master-Key: 8F4BA1D0A7D47069BB9A1E006D4C5BDE7A2EFEF24022042038EDFD49DF272B53A4676C66407D018E3C2D76D593E2ED21 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - b7 51 6e e1 c0 5b 8e 4a-92 3d 84 6d ec be f2 fb .Qn..[.J.=.m.... 0010 - be 9f 39 4e 6c 15 70 93-a5 e3 59 32 cb f9 fa bc ..9Nl.p...Y2.... 0020 - 51 d6 8c 21 88 64 da d8-1d bc f3 02 d9 6d f5 bc Q..!.d.......m.. 0030 - 90 62 d0 a6 f9 03 52 c5-c3 b1 b5 30 37 68 e2 f3 .b....R....07h.. 0040 - 6d 39 97 f8 b2 51 ab 20-4e c0 99 2d b2 61 32 7b m9...Q. N..-.a2{ 0050 - 0e a1 2a ad 66 8e 83 1b-08 5c d2 e3 99 69 0b 03 ..*.f....\...i.. 0060 - 66 fc d1 fb d0 a2 33 c9-47 27 d1 da 2f 4a a6 11 f.....3.G'../J.. 0070 - fa a0 59 4c 0e 5f 41 dd-80 cc f5 a8 c0 bc e3 74 ..YL._A........t 0080 - 7a 31 44 96 94 4b b5 29-cf e4 0c 4b ad 58 af f7 z1D..K.)...K.X.. 0090 - a3 68 4d 2a 40 2a d4 d2-57 99 38 e0 8c d1 c1 d7 .hM*@*..W.8..... 00a0 - 72 28 20 67 8c ca ff 68-68 ab 01 be 48 80 9c 44 r( g...hh...H..D 00b0 - c1 b6 49 12 bb 99 9a 81-8e b5 85 de 9e 57 e2 b1 ..I..........W.. Start Time: 1639091792 Timeout : 300 (sec) Verify return code: 0 (ok)---220 server.companiondriver.com ESMTP Postfixquit221 2.0.0 ByeclosedThis suggests that you need to configure a additional certificate, for "mail.grannydriver.com", in addition to other domains you use.Regards,Netino
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
!include_try /etc/dovecot/sni.conf
The same logic is too valid for dovecot.Check if you have the following, at the end of the file '/etc/dovecot/dovecot.conf':Code: [Select]!include_try /etc/dovecot/sni.conf...and check the content of the file '/etc/dovecot/sni.conf' for your ssl domains.