Letsencrypt root certificate

Z

ziain

New Member
Oct 22, 2021
3
0
1
52
Hi,

I have a problem receiving emails from a small number of servers, no emails make it through and i get the following message in the syslog:
Code: 
warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45

After some investigation I think this is down to PMG sending out the old root certificate for Letsencrypt. CheckTLS.com shows that it is sending it as seen here:
Cert.jpg

I understand the DST Root CA X3 certificate has expired, and some older systems don't handle it correctly, but I don't know how to prevent PMG from sending it. I do need to be able to receive from at least one of the servers that is not able to connect, however trying to talk to the server owner has proved to be not possible.

Please advise if I'm going down the right path here, and if so what can be done.

Many thanks.
 
ziain said:
Code: 
warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45
Click to expand...
Where does the log-message appear? - is it printed by PMG - could you provide a bit more context - else it's not really possible to get a complete picture at what is going wrong here

PMG 6.4 and 7.0 (and most somewhat up2date linux systems) both should handle the expiry of DST Root CA X3 fine.

Depending on your needs - you could:
* replace Let's encrypt with a different Certificate (for SMTP self-signed certificates should still work)
* replace the Let's encrypt certificate with one generated with the alternative chain:
https://community.letsencrypt.org/t/production-chain-changes/150739
(this is currently not easily possible with the ACME implementation in PMG)
* disable TLS on your system and accept mail over plain-text

I hope this helps!
 
Stoiko Ivanov said:
Where does the log-message appear? - is it printed by PMG - could you provide a bit more context - else it's not really possible to get a complete picture at what is going wrong here

PMG 6.4 and 7.0 (and most somewhat up2date linux systems) both should handle the expiry of DST Root CA X3 fine.

Depending on your needs - you could:
* replace Let's encrypt with a different Certificate (for SMTP self-signed certificates should still work)
* replace the Let's encrypt certificate with one generated with the alternative chain:
https://community.letsencrypt.org/t/production-chain-changes/150739
(this is currently not easily possible with the ACME implementation in PMG)
* disable TLS on your system and accept mail over plain-text

I hope this helps!
Click to expand...
Hi,

Thanks for the response.

To be clear I don't think this is really a problem with PMG, I think it's a few sending servers that don't handle the expired original DST Root CA X3 certificate well. However, this appears to be very similar to what we had with iPhones connecting to Exchange servers (with letsencrypt certs) a couple of weeks when the root cert actually expired, and removing the DST Root CA X3 cert from the cert store of the Exchange servers resolved it.

In answer to your other questions, my PMG is v7 and only downloaded and installed in the last week. The log message appears in the syslog section of the PMG gui. Before enabling letsncrypt i had a self signed cert and was getting the same log message when the same sender was trying to send. The root cert (ISRG Root X1) of the alternative chain is actually the 3rd as reported by checktls.com. Disabling TLS isn't really an option to be fair. And, PMG will accept connections from other servers that are sending without TLS.

Thanks
 
ziain said:
In answer to your other questions, my PMG is v7 and only downloaded and installed in the last week. The log message appears in the syslog section of the PMG gui.
Click to expand...
could you maybe share the complete loglines (you can redact public IPs and domain-names) - would help me to get a better understanding at what's going on

ziain said:
Before enabling letsncrypt i had a self signed cert and was getting the same log message when the same sender was trying to send.
Click to expand...
My guess is that the sender has configured their mail-server to only speak over TLS with a valid cert - but is running slightly older software
(e.g. openssl before 1.1 or gnutls in an older version)
We shortly discussed this here - since we added support for alternative chains to the acme-implementation, but did not expose it (in expectation that the analysis in https://community.letsencrypt.org/t/providing-a-longer-certificate-chain-by-default/148738 was correct for most use-cases)
If this bites more users we'd consider adding the alternative chain selection to PMG (the only place where the clients (other SMTP-server) are not always using very recent ssl-libraries)

In any case - could you try to use a TLS-certificate from Let's encrypts alternative chain? (you'd need to use a different acme-client - e.g. acme.sh for now though) - and see if this fixes the issue with the particular sender?

Thanks!
 
Stoiko Ivanov said:
could you maybe share the complete loglines (you can redact public IPs and domain-names) - would help me to get a better understanding at what's going on


My guess is that the sender has configured their mail-server to only speak over TLS with a valid cert - but is running slightly older software
(e.g. openssl before 1.1 or gnutls in an older version)
We shortly discussed this here - since we added support for alternative chains to the acme-implementation, but did not expose it (in expectation that the analysis in https://community.letsencrypt.org/t/providing-a-longer-certificate-chain-by-default/148738 was correct for most use-cases)
If this bites more users we'd consider adding the alternative chain selection to PMG (the only place where the clients (other SMTP-server) are not always using very recent ssl-libraries)

In any case - could you try to use a TLS-certificate from Let's encrypts alternative chain? (you'd need to use a different acme-client - e.g. acme.sh for now though) - and see if this fixes the issue with the particular sender?

Thanks!
Click to expand...
Hi Stoiko,

Thank you so much for your help so far.
This is the total of the syslog message for a specific email:
Code: 
Oct 25 19:37:20 mail postfix/postscreen[31559]: CONNECT from [66.x.x.x]:2645 to [192.x.x.x]:25
Oct 25 19:37:20 mail postfix/postscreen[31559]: PASS OLD [66.x.x.x]:2645
Oct 25 19:37:20 mail postfix/smtpd[31560]: connect from r155.service.somedomain.com[66.x.x.x]
Oct 25 19:37:20 mail postfix/smtpd[31560]: SSL_accept error from r155.service.somedomain.com[66.x.x.x]: -1
Oct 25 19:37:20 mail postfix/smtpd[31560]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
Oct 25 19:37:20 mail postfix/smtpd[31560]: lost connection after STARTTLS from r155.service.somedomain.com[66.x.x.x]
Oct 25 19:37:20 mail postfix/smtpd[31560]: disconnect from r155.service.somedomain.com[66.x.x.x] ehlo=1 starttls=0/1 commands=1/2

I'm more than happy to try acme.sh however I'm not very familiar with it, I've only been running PMG for just over a week and my linux sysadmin skills aren't the strongest. Do you have any tutorials?

Thanks
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back