Re: [exim] TLS "certificate expired" warnings on inbound con…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni
Date:  
À: exim-users
Sujet: Re: [exim] TLS "certificate expired" warnings on inbound connections
On Tue, May 31, 2022 at 08:33:19PM +0200, Tim Jackson via Exim-users wrote:

> [130.248.154.209]:44104 I=[167.235.252.255]:25 (SSL_accept):
> error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired


TLS alerts report error conditions from the remote peer. If your server
logs a TLS alert, that alert was generated on the remote end. So if
this is a connection from a client to your server, then the "certificate
expired" condition is something that the client believes to be the case.

Perhaps your Let's Encrypt certificate chain includes the expired DST
root CA certificate, you can configure certbot to not send it.

> Certificate chain
>   0 s:CN = mx1.firecluster.net
>     i:C = US, O = Let's Encrypt, CN = R3
>   1 s:C = US, O = Let's Encrypt, CN = R3
>     i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
>   2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
>     i:O = Digital Signature Trust Co., CN = DST Root CA X3


The DST Root CA is expired. You can configure LE to build a
"fullchain.pem" using the ISRG root instead. The only downside is that
old Android systems may no longer be able to verify your chain.

You can use a different cert chain for submission than for port 25
(where you're unlikely to need Android support).

-- 
    VIktor.