Am 08.12.2021 um 01:46 schrieb Robert L Mathews:
On 12/7/21 2:49 PM, Alexander Dalloz wrote:
Use a not expired certificate.
$ openssl s_client -connect 194.163.45.150:993 CONNECTED(00000003) depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=10:certificate has expired notAfter=Sep 30 14:01:15 2021 GMT
That error's happening because you (Alexander) are using an old openssl version that has the problem described on:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
That's not the problem that the original poster is having unless Thunderbird also has the same problem, which it may; see:
https://community.letsencrypt.org/t/note-regarding-transition-to-r3-intermed...
https://www.arcanoae.com/adding-lets-encrypts-new-root-and-intermediate-cert...
In any case, this works fine with OpenSSL 1.1 or later:
$ openssl s_client -connect mail.sizzelicks.com:993 ... * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready.
Confirmed, my fault.
# openssl s_client -connect 194.163.45.150:993 CONNECTED(00000003) Can't use SSL_get_servername depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = aecperformance.com verify return:1
Certificate chain 0 s:CN = aecperformance.com i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3
Alexander