Received invalid SSL certificate: unable to get certificate CRL

Mon Jan 24 21:36:23 UTC 2022

Hi Zakaria

Thank you for your suggestion.

I don't think an out of date ca trust is the issue with me. I'm running Debian Bullseye (i.e. latest Debian release) and its fully up to date with all patches.

I will look into your suggestion though.

Laura

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Monday, January 24th, 2022 at 21:29, Zakaria <hi at zakaria.website> wrote:

> Hi Laura,
>
> I dont know if it will work, but I came across similar issue with letsencrypt using recent openssl, and it fails verifying with the same error message and the following has resolved it for me.
>
> Try to run the following command against the client certificate full chain and cert file:-
>
> openssl verify -CAfile fullchain1.pem cert1.pem
>
> if it did throw the same error then try verifying using the following updated full chain with valid lets encrypt intermediary and root certificate, if it will work.
>
>     wget -O isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem && wget -O isrg-root-x1-cross-signed.pem https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem && wget -O lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem && wget -O lets-encrypt-r3-cross-signed.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem && cat isrgrootx1.pem isrg-root-x1-cross-signed.pem lets-encrypt-r3.pem lets-encrypt-r3-cross-signed.pem > combined_chain1.pem && dos2unix combined_chain1.pem && rm -f lets-encrypt-r3*.* && rm -f isrg*.*
>
> If didnt then try to use updated ca bundle directly from OS using following commands and reference it in verify certificates list
>
>     ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
>     ssl_verify_client_cert = yes
>
> On how to update, it depends on your OS, and the following works with me
>
> yum install ca-certificatesupdate-ca-trust
>
> Refer to https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
>
> Give it a try and if you found another solution please let me know, and good luck.
>
> Zakaria
>
> On 24 Jan 2022 20:25, Laura Smith <n5d9xq3ti233xiyif2vp at protonmail.ch> wrote:
>
> > I'm having a frustrating problem trying to use "doveadm sync" to pull mails off a server for migration purposes.
> >
> > # 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
> >
> > # Pigeonhole version 0.5.17.1 (a1a0b892)
> >
> > # OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2
> >
> > I have tried both explicit "ssl_client_ca_dir = /etc/ssl/certs" and commenting it out (i.e. relying on OpenSSL default per the docs)
> >
> > I always get the same:
> >
> > Info: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 (check ssl_client_ca_* se
> >
> > ttings?)
> >
> > Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Sec
> >
> > urity Research Group/CN=ISRG Root X1 (check ssl_client_ca_* settings?) - disconnecting
> >
> > openssl s_client -starttls imap -servername $name -connect $name:143 is happy though:
> >
> > ---
> >
> > Certificate chain
> >
> > 0 s:CN = <REDACTED>
> >
> >    i:C = US, O = Let's Encrypt, CN = R3
> >
> > 1 s:C = US, O = Let's Encrypt, CN = R3
> >
> >    i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> >
> > 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
> >
> >    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> >
> > ---
> >
> > ---
> >
> > No client certificate CA names sent
> >
> > Peer signing digest: SHA256
> >
> > Peer signature type: RSA-PSS
> >
> > Server Temp Key: X25519, 253 bits
> >
> > ---
> >
> > SSL handshake has read 4954 bytes and written 412 bytes
> >
> > Verification: OK
> >
> > ---
> >
> > New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
> >
> > Server public key is 2048 bit
> >
> > Secure Renegotiation IS NOT supported
> >
> > Compression: NONE
> >
> > Expansion: NONE
> >
> > No ALPN negotiated
> >
> > Early data was not sent
> >
> > Verify return code: 0 (ok)
> >
> > ---