Maybe somebody here knows how this would be supposed to work:
I am trying to get TLS work with sendmail, and I managed to get to it with my own CA, but not with Let'sEncrypt.
I am getting this error:
The certificate itself is certainly not expired, but it appears we have a crappy root cert in the tree:
/usr/src/secure/caroot/trusted/DST_Root_CA_X3.pem
This is Rel. 13.1, so I am really wondering what does this do here?
OTOH, some software does not bother about expired certs, so maybe there is good reason to keep it.
I am now looking for insight on how this should work, what is going wrong, and where it should be fixed: in FreeBSD, in sendmail or in Let'sEncrypt?
I am trying to get TLS work with sendmail, and I managed to get to it with my own CA, but not with Let'sEncrypt.
I am getting this error:
Code:
2022-04-28T23:18:46.704257+02:00 <mail.info> intra.daemon.contact sm-mta[69293] STARTTLS: TLS cert verify: depth=3 /O=Digital Signature Trust Co./CN=DST Root CA X3, state=0, reason=certificate has expired
2022-04-28T23:18:46.705103+02:00 <mail.info> intra.daemon.contact sm-mta[69293] STARTTLS=server, get_verify: 10 get_peer: 0x801c3af00
2022-04-28T23:18:46.705122+02:00 <mail.info> intra.daemon.contact sm-mta[69293] STARTTLS=server, relay=gate.intra.daemon.contact [xx.xx.xx.xx], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
2022-04-28T23:18:46.705131+02:00 <mail.info> intra.daemon.contact sm-mta[69293] STARTTLS=server, cert-subject=/CN=moon.daemon.contact, cert-issuer=/C=US/O=Let's+20Encrypt/CN=R3, verifymsg=certificate has expired
The certificate itself is certainly not expired, but it appears we have a crappy root cert in the tree:
/usr/src/secure/caroot/trusted/DST_Root_CA_X3.pem
Code:
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O = Digital Signature Trust Co., CN = DST Root CA X3
This is Rel. 13.1, so I am really wondering what does this do here?
OTOH, some software does not bother about expired certs, so maybe there is good reason to keep it.
I am now looking for insight on how this should work, what is going wrong, and where it should be fixed: in FreeBSD, in sendmail or in Let'sEncrypt?