Page MenuHomeDevCentral

Renewed Let's encrypt certificate hasn't been deployed to SMTP
Closed, ResolvedPublic

Description

SMTP certificate expired.

We've a new certificate, already deployed on mail.nasqueron.org nginx for example, but it's not propagated to the LXC container handling the mail server.

$ openssl s_client -connect mail.nasqueron.org:25 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail.nasqueron.org
verify error:num=10:certificate has expired
notAfter=Aug 19 12:17:00 2016 GMT
verify return:1
depth=0 CN = mail.nasqueron.org
notAfter=Aug 19 12:17:00 2016 GMT
verify return:1
---
Certificate chain
 0 s:/CN=mail.nasqueron.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISAwmPgfV3EE3NRzcMsY3/Q7EYMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA1MjExMjE3MDBaFw0x
NjA4MTkxMjE3MDBaMB0xGzAZBgNVBAMTEm1haWwubmFzcXVlcm9uLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOs1fFUfm4X5Tygisxn01igTlO5P
J9e31oma4QBVXMF1515weV2rLiGUCOE7nxOyZGq9N24/5vtu+IieD9V+mosmok7z
ci9ANsMwdjmvDjJUQ2jELMhPfE7Dd+8/Ew0ruNqv/d55xTRUxKf9YmbGmQTQDoeO
oZBxbPVCfh+NgZsOMEOwlvbSOLHI5fuTDrKi009ql4SxahcCwk510cBx1ZfI9bzO
emhSbqoVy4UkhTLScLXe0Qd5MGNKPzH7kmfDe2UNhyS7i7OkM2Vmfj3sUCJTgwCq
qEUi3Nq3AyfixMry3ntgrjDitZb9x6Osd+G0jl06apZjlUE+D/RTvtQ0RI0CAwEA
AaOCAhMwggIPMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUsUXiyIT3quSfpZHKxgEi
q2CRyBYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUH
AQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wHQYDVR0RBBYwFIISbWFpbC5uYXNxdWVyb24ub3JnMIH+BgNVHSAE
gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp
cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n
IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp
Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw
b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAIkaUL0KebdS1bYEu5hOL+c+QewB
OI/U1euJjwsp4lftAKLeX2tzm9pg15nT7h1BFVj0FmaAyuQQOa1arp5Lq9/+SiPg
rlgHCg3AzHU7tp8ssRMx8Z8yAT+riTLdheYLnlwPdHo5ZexbD8caSJ0gW82IFdkK
DjyrXhXDfQuffgeme1x9KN5LD1ctR57XUpBuk8ZCGFsj5xKdXlMTHeslsVOs0KRD
6XjQPFmRPegGh7dim+2ssNyXDW4K/3ISTNZNLs9AcLU9Qt9ES6Fka9e3o6x4WUHU
OQBUpLJ4t8Fyk99qoaeO3ra31wPThfn1Krh947iH6345eAwbrPs7nskAKJo=
-----END CERTIFICATE-----
subject=/CN=mail.nasqueron.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3372 bytes and written 466 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0A93A8D87FD72B052F94835018362D0B2B0B6A26F921E507B7F4E43C36A09842
    Session-ID-ctx: 
    Master-Key: 4CC5AE9D75E879C03741369D086F7882874B18C355150963C05794CBD09F3D9436D67D63C762D9D5EFC9B5E4213A737B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 27 1f fe 69 ae ef da e2-6f 26 db ba 33 13 f4 4c   '..i....o&..3..L
    0010 - f9 08 a2 8e 8d 7a c1 0e-61 07 f8 0e 37 17 45 36   .....z..a...7.E6
    0020 - 3f d3 77 cb 0d 95 e4 80-e7 49 27 15 ad 56 1f b5   ?.w......I'..V..
    0030 - 08 2c 53 96 d9 04 51 a6-a6 18 c9 49 19 c7 db 75   .,S...Q....I...u
    0040 - 98 db 0e 1c fe 5c 2c 61-57 da e0 88 e6 f4 f9 b8   .....\,aW.......
    0050 - d7 35 be 7d cf 37 d1 47-6d f2 8c 85 ee 9c 2a f5   .5.}.7.Gm.....*.
    0060 - 07 3e 44 59 61 e0 b5 7f-a1 1e 9b e9 74 a8 37 f1   .>DYa.......t.7.
    0070 - 98 b5 bf 8a df a5 2e 66-ab 40 46 e2 5e 59 55 c2   .......f.@F.^YU.
    0080 - 03 44 8c 63 15 cd ee 15-19 d1 0c 5b f2 dc bd 81   .D.c.......[....
    0090 - 2c ba b5 b7 d1 a2 09 ed-25 db dd 6d 2f e9 5f ce   ,.......%..m/._.

    Start Time: 1478179147
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
250 DSN

T919 tracks a long term solution. Meanwhile, I'm preparing a script like in D691.

Event Timeline

dereckson created this task.Nov 3 2016, 13:21
dereckson renamed this task from openssl s_client -connect mail.nasqueron.org:25 -starttls smtp CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = mail.nasqueron.org verify error:num=10:certificate has expired notAfter=Aug 19 12:17:00 2016 GMT verify return:1 depth=0 CN = mail.nasqueron.org notAfter=Aug 19 12:17:00 2016 GMT verify return:1 --- Certificate chain 0 s:/CN=mail.nasqueron.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFCDCCA/CgAwIBAgISAwmPgfV3EE3NRzcMsY3/Q7EYMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA1MjExMjE3MDBaFw0x NjA4MTkxMjE3MDBaMB0xGzAZBgNVBAMTEm1haWwubmFzcXVlcm9uLm9yZzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOs1fFUfm4X5Tygisxn01igTlO5P J9e31oma4QBVXMF1515weV2rLiGUCOE7nxOyZGq9N24/5vtu+IieD9V+mosmok7z ci9ANsMwdjmvDjJUQ2jELMhPfE7Dd+8/Ew0ruNqv/d55xTRUxKf9YmbGmQTQDoeO oZBxbPVCfh+NgZsOMEOwlvbSOLHI5fuTDrKi009ql4SxahcCwk510cBx1ZfI9bzO emhSbqoVy4UkhTLScLXe0Qd5MGNKPzH7kmfDe2UNhyS7i7OkM2Vmfj3sUCJTgwCq qEUi3Nq3AyfixMry3ntgrjDitZb9x6Osd+G0jl06apZjlUE+D/RTvtQ0RI0CAwEA AaOCAhMwggIPMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUsUXiyIT3quSfpZHKxgEi q2CRyBYwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUH AQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5 cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy eXB0Lm9yZy8wHQYDVR0RBBYwFIISbWFpbC5uYXNxdWVyb24ub3JnMIH+BgNVHSAE gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAIkaUL0KebdS1bYEu5hOL+c+QewB OI/U1euJjwsp4lftAKLeX2tzm9pg15nT7h1BFVj0FmaAyuQQOa1arp5Lq9/+SiPg rlgHCg3AzHU7tp8ssRMx8Z8yAT+riTLdheYLnlwPdHo5ZexbD8caSJ0gW82IFdkK DjyrXhXDfQuffgeme1x9KN5LD1ctR57XUpBuk8ZCGFsj5xKdXlMTHeslsVOs0KRD 6XjQPFmRPegGh7dim+2ssNyXDW4K/3ISTNZNLs9AcLU9Qt9ES6Fka9e3o6x4WUHU OQBUpLJ4t8Fyk99qoaeO3ra31wPThfn1Krh947iH6345eAwbrPs7nskAKJo= -----END CERTIFICATE----- subject=/CN=mail.nasqueron.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3372 bytes and written 466 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 0A93A8D87FD72B052F94835018362D0B2B0B6A26F921E507B7F4E43C36A09842 Session-ID-ctx: Master-Key: 4CC5AE9D75E879C03741369D086F7882874B18C355150963C05794CBD09F3D9436D67D63C762D9D5EFC9B5E4213A737B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - 27 1f fe 69 ae ef da e2-6f 26 db ba 33 13 f4 4c '..i....o&..3..L 0010 - f9 08 a2 8e 8d 7a c1 0e-61 07 f8 0e 37 17 45 36 .....z..a...7.E6 0020 - 3f d3 77 cb 0d 95 e4 80-e7 49 27 15 ad 56 1f b5 ?.w......I'..V.. 0030 - 08 2c 53 96 d9 04 51 a6-a6 18 c9 49 19 c7 db 75 .,S...Q....I...u 0040 - 98 db 0e 1c fe 5c 2c 61-57 da e0 88 e6 f4 f9 b8 .....\,aW....... 0050 - d7 35 be 7d cf 37 d1 47-6d f2 8c 85 ee 9c 2a f5 .5.}.7.Gm.....*. 0060 - 07 3e 44 59 61 e0 b5 7f-a1 1e 9b e9 74 a8 37 f1 .>DYa.......t.7. 0070 - 98 b5 bf 8a df a5 2e 66-ab 40 46 e2 5e 59 55 c2 .......f.@F.^YU. 0080 - 03 44 8c 63 15 cd ee 15-19 d1 0c 5b f2 dc bd 81 .D.c.......[.... 0090 - 2c ba b5 b7 d1 a2 09 ed-25 db dd 6d 2f e9 5f ce ,.......%..m/._. Start Time: 1478179147 Timeout : 300 (sec) Verify return code: 10 (certificate has expired) --- 250 DSN to Renewed Let's encrypt certificate hasn't been deployed to SMTP.Nov 3 2016, 13:36
dereckson updated the task description. (Show Details)
dereckson closed this task as Resolved.

Certificate has correctly been deployed.

$ openssl s_client -connect mail.nasqueron.org:25 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail.nasqueron.org
verify return:1
---
Certificate chain
 0 s:/CN=mail.nasqueron.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate