On Thu, Jul 13, 2023 at 10:21:02AM +0200, Cyborg via Exim-users wrote:
> 2023-07-13 08:15:41 TLS error (SSL_read): error:0A000412:SSL
> routines::sslv3 alert bad certificate
If the issue is observed on the MX host for your domain, note that its
certificate chains up to the already expired "DST Root CA X3":
Certificate:
Issuer: C=US, O=Let's Encrypt, CN=R3
Not Before: May 10 21:02:48 2023 GMT
Not After : Aug 8 21:02:47 2023 GMT
Subject: CN=resellerdesktop.de
Certificate:
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C=US, O=Let's Encrypt, CN=R3
Certificate:
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
While most clients have a local trusted "ISRG Root X1" CA, and
short-circuit the chain at the first locally trusted issuer, some might
not perform the short-circuit lookup (e.g. old OpenSSL versions prior to
1.1.0).
You should reconfigure your Let's Encrypt setup to obtain a chain that's
rooted at the ISRG CA. With certbot, add to the
"renewal/<lineage>.conf" file's "renewalparams" section:
...
[renewalparams]
preferred_chain = ISRG Root X1
...
--
Viktor.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/