[exim] Re: exim spitting out "bad certificate" log lines

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni via Exim-users
Date:  
To: exim-users
Subject: [exim] Re: exim spitting out "bad certificate" log lines
On Thu, Jul 13, 2023 at 10:21:02AM +0200, Cyborg via Exim-users wrote:

> 2023-07-13 08:15:41 TLS error (SSL_read): error:0A000412:SSL
> routines::sslv3 alert bad certificate


If the issue is observed on the MX host for your domain, note that its
certificate chains up to the already expired "DST Root CA X3":

    Certificate:
            Issuer: C=US, O=Let's Encrypt, CN=R3
                Not Before: May 10 21:02:48 2023 GMT
                Not After : Aug  8 21:02:47 2023 GMT
            Subject: CN=resellerdesktop.de
    Certificate:
            Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
                Not Before: Sep  4 00:00:00 2020 GMT
                Not After : Sep 15 16:00:00 2025 GMT
            Subject: C=US, O=Let's Encrypt, CN=R3
    Certificate:
            Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
                Not Before: Jan 20 19:14:03 2021 GMT
                Not After : Sep 30 18:14:03 2024 GMT
            Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1


While most clients have a local trusted "ISRG Root X1" CA, and
short-circuit the chain at the first locally trusted issuer, some might
not perform the short-circuit lookup (e.g. old OpenSSL versions prior to
1.1.0).

You should reconfigure your Let's Encrypt setup to obtain a chain that's
rooted at the ISRG CA. With certbot, add to the
"renewal/<lineage>.conf" file's "renewalparams" section:

    ...
    [renewalparams]
    preferred_chain = ISRG Root X1
    ...


-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/