Certificate issues

:uk:

My YunoHost server

Hardware: Raspberry Pi4)
YunoHost version: 11.0.10.2
I have access to my server : Through SSH | through the webadmin

Description of my issue

After an upgrade to Buster sending emails, from (LAN) hosts, stopped working. Receiving is still fine and I can send emails through Rainloop. It might NOT be related to the Buster upgrade because I also upgraded my router at the same time, so possible network mis configuration.

Thunderbird on my laptop and client from my phone complains the certificate is expired while the Yunohost web interface says the certificates are valid.
I’ve been debugging this for half a day but don’t understand what is going on. I have a few different sub-domains running and I think the below test show what is wrong with the certificates:

(please notice the last entry shows the ‘main domain’ has an expired certificate while the Web Interface says it is still valid. Forcing an Renew didn’t change the issue)

root@yunohost:/etc# openssl s_client -showcerts -starttls smtp -connect 127.0.0.1:587 -servername foto.domain.com < /dev/null 2>&1 | openssl x509 -noout -dates
notBefore=Oct 17 14:24:34 2022 GMT
notAfter=Jan 15 14:24:33 2023 GMT
root@yunohost:/etc# openssl s_client -showcerts -starttls smtp -connect 127.0.0.1:587 -servername muziek.domain.com < /dev/null 2>&1 | openssl x509 -noout -dates
notBefore=Aug 23 04:25:17 2022 GMT
notAfter=Nov 21 04:25:16 2022 GMT
root@yunohost:/etc# openssl s_client -showcerts -starttls smtp -connect 127.0.0.1:587 -servername cloud.domain.com < /dev/null 2>&1 | openssl x509 -noout -dates
notBefore=Oct 23 09:07:20 2022 GMT
notAfter=Jan 21 09:07:19 2023 GMT
root@yunohost:/etc# openssl s_client -showcerts -starttls smtp -connect 127.0.0.1:587 -servername domain.com < /dev/null 2>&1 | openssl x509 -noout -dates
notBefore=Aug 22 04:25:25 2022 GMT
notAfter=Nov 20 04:25:24 2022 GMT

thanks,

-jeroen

I did some more research when my initial message was pending:

admin@yunohost:~ $ sudo journalctl -xef |grep postfix
Nov 30 09:56:08 yunohost.domain.com postfix/submission/smtpd[2819]: connect from x-x-x-x.mobile.net[x.x.x.x]
Nov 30 09:56:08 yunohost.domain.com postfix/submission/smtpd[2819]: SSL_accept error from x-x-x-x.mobile.net[x.x.x.x]: -1
Nov 30 09:56:08 yunohost.domain.com postfix/submission/smtpd[2819]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1543:SSL alert number 46:
Nov 30 09:56:08 yunohost.domain.com postfix/submission/smtpd[2819]: lost connection after STARTTLS from x-x-x-x.mobile.net[x.x.x.x]
Nov 30 09:56:08 yunohost.domain.com postfix/submission/smtpd[2819]: disconnect from x-x-x-x.mobile.kpn.net[x.x.x.x] ehlo=1 starttls=0/1 commands=1/2
-----snip-----
Nov 30 09:59:42 yunohost.domain.com postfix/submission/smtpd[2958]: warning: hostname xxxx-xxxx-xxxx.connected.by.freedominter.net does not resolve to address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx: Name or service not known
Nov 30 09:59:42 yunohost.domain.com postfix/submission/smtpd[2958]: connect from unknown[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]
Nov 30 09:59:42 yunohost.domain.com postfix/submission/smtpd[2958]: SSL_accept error from unknown[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]: -1
Nov 30 09:59:42 yunohost.domain.com postfix/submission/smtpd[2958]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
Nov 30 09:59:42 yunohost.domain.com postfix/submission/smtpd[2958]: lost connection after STARTTLS from unknown[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]
Nov 30 09:59:42 yunohost.domain.com postfix/submission/smtpd[2958]: disconnect from unknown[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] ehlo=1 starttls=0/1 commands=1/2



root@yunohost:~# yunohost domain cert status
certificates: 
  cloud.domain.com: 
    CA_type: Let's Encrypt
    summary: Great!
    validity: 54
  foto.domain.com: 
    CA_type: Let's Encrypt
    summary: Great!
    validity: 49
  muziek.domain.com: 
    CA_type: Let's Encrypt
    summary: Great!
    validity: 67
  domain.com: 
    CA_type: Let's Encrypt
    summary: Great!
    validity: 85

root@yunohost:~# sudo yunohost tools regen-conf postfix --dry-run --with-diff

root@yunohost:/etc# openssl s_client -showcerts -starttls smtp -connect 127.0.0.1:587 -servername foto.domain.com < /dev/null 2>&1 | openssl x509 -noout -dates
notBefore=Oct 17 14:24:34 2022 GMT
notAfter=Jan 15 14:24:33 2023 GMT
root@yunohost:/etc# openssl s_client -showcerts -starttls smtp -connect 127.0.0.1:587 -servername muziek.domain.com < /dev/null 2>&1 | openssl x509 -noout -dates
notBefore=Aug 23 04:25:17 2022 GMT
notAfter=Nov 21 04:25:16 2022 GMT
root@yunohost:/etc# openssl s_client -showcerts -starttls smtp -connect 127.0.0.1:587 -servername cloud.domain.com < /dev/null 2>&1 | openssl x509 -noout -dates
notBefore=Oct 23 09:07:20 2022 GMT
notAfter=Jan 21 09:07:19 2023 GMT
root@yunohost:/etc# openssl s_client -showcerts -starttls smtp -connect 127.0.0.1:587 -servername domain.com < /dev/null 2>&1 | openssl x509 -noout -dates
notBefore=Aug 22 04:25:25 2022 GMT
notAfter=Nov 20 04:25:24 2022 GMT

Another thing that might be related is my yunohost server has a defferent opinion on the IPv6 reverse-DNS compared to my router.

root@router:~# dig -x xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx|grep domain.com
x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa. 3468 IN PTR domain.com.

admin@yunohost:~ $ dig -x xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx|grep domain.com
x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa. 0 IN PTR cloud.domain.com.

thanks,

-jeroen

Same as SMTP en erreur sur Thunderbird, no?

oh! yes it seems to be the same problem. Sorry I missed this, I did search the forum, maybe because I filtered on Enlish?
-jeroen

just wanted to point to the other thread and what we found out (which is basically what you found out, too, apart from the fact that setting up a new server doesn’t improve things either).

I’ve had the same issue a few days ago
I resolved the problem using this command:
sudo yunohost tools regen-conf postfix

This didn’t work for me, my postfix config is stock already. BTW, this issue is a duplicate of SMTP en erreur sur Thunderbird - #12 by jeroen
I continue there.

I did this again, rebooted and it is solved?!?
Thanks for the tip!

-jeroen

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.