Probleme avec certificat SSL et serveur SMTP - Problem with SSL certificat and SMTP

My YunoHost server

Hardware: VPS bought online
YunoHost version: 11.0.9.14
I have access to my server : Through SSH | through the webadmin |
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If yes, please explain:

Description of the problem

Hello everyone,

I have a problem with the certificate of my SMTP server.

Context:
One server Yunohost SMTP server and another server with discourse to install.
Hence the line in the logs about the DNS non-compliance.

    Type : TXT
    Name : @ @
     The current value is : "v=spf1 mx -all"
     The expected value is: "v=spf1 a mx -all"

Since two three days I have an error sending mail from the discourse

ERROR - SSL_connect returned=1 errno=0 peeraddr=ip.du.serveur.yunohst:587 state=error: certificate verify failed (certificate has expired)

So first of all, I see that it is not normal that it looks for a certificate on an IP but I don’t understand why.

Then this error also appeared in my mail manager via an alert saying that the certificate is invalid.

Here is the result of the command:

openssl s_client -connect ndd.fr:587
CONNECTED(00000003)
4037DA36367F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Actions taken

• Regenerate the SSL certificate for the concerned domain (main)

Thanks in advance for your help.

Here are some error messages

Translated with DeepL Translate: The world's most accurate translator (free version)

Modèle de message (français)

Mon serveur YunoHost

Matériel: VPS acheté en ligne
Version de YunoHost: 11.0.9.14
J’ai accès à mon serveur : En SSH | Par la webadmin
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : non
Si oui, expliquer:

Description du problème

Bonjour a tous,

J’ai un probleme avec le certificat de mon serveur SMTP.

Context :
Uns serveur Yunohost serveur de serveur SMTP et un autre serveur avec discourse d’installer.
D’ou la la ligne dans les logs sur la non comformité DNS.

    Type : TXT
    Nom : @
     La valeur actuelle est : "v=spf1 mx -all"
     La valeur attendue est : "v=spf1 a mx -all"

Depuis deux trois jours j’ai une erreur d’envoi de mail depuis le discourse

ERREUR - SSL_connect returned=1 errno=0 peeraddr=ip.du.serveur.yunohst:587 state=error: certificate verify failed (certificate has expired)

Donc déja, je constate que ce n’est pas normal qu’il cherche un certificat sur une IP mais je ne comprend pa pourquoi.

Ensuite cette erreur s’est aussi manifesté dans mon gestionnaire de mail via une alerte disant que le certificat est invalide.

Voici le resultat de la commande :

openssl s_client -connect ndd.fr:587
CONNECTED(00000003)
4037DA36367F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 309 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Actions effectuée

• Regenerer le certificat SSL pour le domaine concerné (principal)

Merci d’avance pour votre aide.

Voici des messages d’erreurs

Ben après plusieurs essais, je suis repassé sur un certificat non signé puis relancé l’obtention via Lets Encrypt et ça a l’air d’avoir marché.

Well, after several tries, I switched back to an unsigned certificate then restarted the process via Lets Encrypt and it seems to have worked.

Hi all,

same problem here, and I’ve renewed the Let’s encrypt certificate (even if it was still valid for 73 days), without success.

Thunderbird still gets a certificate from Jul 5th that expired on Oct 3rd.
If I look at /etc/yunohost/certs/ :

the mydomain.ltd symlink owner is root:root, unlike the mydomain.ltd-history directory and myotherdomain.ltd symlink and directory, whose owner is root:ssl-cert

in /etc/yunohost/certs/mydomain.ltd-history directory, the last 2 certificates generated do not have the same rights and owner :

drw-r-xr-x 2 root root     4096 Sep 18 06:25 20220918.062517-letsencrypt
drw-r-xr-x 2 root root     4096 Oct  4 13:40 20221004.134018-letsencrypt

unlike all previous certificates :

drwxr-x--- 2 root ssl-cert 4096 Jul  5 10:12 20220705.101204-letsencrypt

It seems something has been modified in yunohost behaviour, in a previous version update.
I’ve tried modifying manually all owner info and rights, it does not fix the issue. And it is clearly not a good solution.
Can you help me with that ?

I’ve done all the package updates (from yunohost 11.0.9.13 to 11.0.9.15) and now it works.
Well, I don’t know what fixed the problem…

Après avoir fait les mises a jour, je suis repassé sur un certificat auto signé puis relancer la génération via lets encrypt (le tout en desactivant le cache de l’admin yunohost)

After making the updates, I switched back to a self-signed certificate and then restarted the generation via lets encrypt (all while disabling the yunohost admin cache)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.