t/s expired cert error

Voytek Eymont voytek at sbt.net.au
Tue Mar 2 21:48:18 EET 2021


On Wed, March 3, 2021 1:17 am, Yassine Chaouche wrote:

Erwan, Yassine,

thanks.

hmm, just tried this, 110/143 gives error, 995/993 doesn't:

I'll try changing in TB to SSL/TLS not StartTLS, 995 or 993, etc, and, see
if error goes

# echo | openssl s_client -connect emu.sbt.net.au:110 2>/dev/null |
openssl x509 -noout
 -enddate
unable to load certificate
139830305752976:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

# echo | openssl s_client -connect emu.sbt.net.au:995 2>/dev/null |
openssl x509 -noout
 -enddate
notAfter=Apr 27 12:11:32 2021 GMT



> Looks fine from my side, both on pop3s
> ------------------------------------------------------------------------
>
>
> ychaouche#ychaouche-PC 13:58:25 ~ $ openssl s_client -connect
> 103.106.168.105:*995* -CApath /etc/ssl/certs
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify
> return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN =
> emu.sbt.net.au verify return:1 ---
> Certificate chain
>  0 s:/CN=emu.sbt.net.au
>    i:/C=US/O=Let's Encrypt/CN=R3
>  1 s:/C=US/O=Let's Encrypt/CN=R3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3 ---
> [...]
>     Start Time: 1614694135
>     Timeout   : 300 (sec)
> *Verify return code: 0 (ok)*
> ---
> +OK Dovecot ready.
> ^C
> ychaouche#ychaouche-PC 15:09:01 ~ $
>
> ------------------------------------------------------------------------
>
>
> and on pop3 with starttls
>
> ------------------------------------------------------------------------
>
>
>
> ychaouche#ychaouche-PC 15:14:28 ~ $ openssl s_client*-starttls pop3*
> -connect 103.106.168.105*:pop3* -CApath /etc/ssl/certs
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify
> return:1
> depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN =
> emu.sbt.net.au verify return:1 ---
> Certificate chain
>  0 s:/CN=emu.sbt.net.au
>    i:/C=US/O=Let's Encrypt/CN=R3
>  1 s:/C=US/O=Let's Encrypt/CN=R3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> subject=/CN=emu.sbt.net.au issuer=/C=US/O=Let's Encrypt/CN=R3 ---
> [...]
>     Start Time: 1614694499
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
> +OK Dovecot ready.
> ^C
> ychaouche#ychaouche-PC 15:15:04 ~ $
>
> ------------------------------------------------------------------------
>
>
>
>
>
> Le 3/2/21 à 1:41 PM, Erwan David a écrit :
>
>> Le 02/03/2021 à 13:29, Voytek Eymont a écrit :
>>
>>> since a couple of days one of users reported getting expired
>>> certificate error in TB, looking at the log, I can see like:
>>>
>>> Mar 02 21:46:24 pop3-login: Info: Disconnected (no auth attempts in 0
>>>  secs): user=<>, rip=111.222.333.444, lip=103.106.168.105, TLS:
>>> SSL_read
>>> failed: error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert
>>> certificate expired: SSL alert number 45, session=<...>
>>
>> Here it is the certificate presented on the pop3 port (either port 110
>> with a STLS command or port 995)
>>
>>
>>> but, looking at server with
>>> https://ssl-tools.net/mailservers/emu.sbt.net.au it says 'valid' as
>>> does certbot tool
>>
>> Here it seems te site tests the smtp server (on port 25), which is not
>> handled by dovecot. You probably have different certificates on both.
>>
>>
>>
>
>




More information about the dovecot mailing list