Something weird with sendmail and Let's Encrypt / 2021-10-23

Koos van den Hout

2021-10-23 Something weird with sendmail and Let's Encrypt
Encrypt all the things meme Noticed this in the logs: 
Sep 30 14:02:04 wozniak sendmail[25878]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 30 15:02:04 wozniak sendmail[27149]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 30 16:02:04 wozniak sendmail[28400]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 30 17:02:04 wozniak sendmail[29654]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
This is exactly the expiry of the DST Root CA: 
koos@wozniak:/usr/share/ca-certificates/mozilla$ openssl x509 -in DST_Root_CA_X3.crt -noout -startdate -enddate
notBefore=Sep 30 21:12:19 2000 GMT
notAfter=Sep 30 14:01:15 2021 GMT
But now to find out where this goes wrong...

Since sendmail uses gnutls, I debugged it with gnutls-cli but I can't find a problem using that method: 
koos@gosper:~$ gnutls-cli -V --starttls --port 587 postbode.idefix.net
Processed 126 CA certificate(s).
Resolving 'postbode.idefix.net:587'...
Connecting to '2a10:3781:1669:1::23:587'...

- Simple Client Mode:

- Received[379]: 220-gosper.idefix.net ESMTP Sendmail 8.15.2/8.15.2/Debian-14~deb10u1; Sat, 23 Oct 2021 16:57:14 +0200; (No UCE/UBE)
220-   This is a private SMTP server.
220-   The use of this or any related system for the transmission of
220-   Unsollicited Bulk E-mail (UBE) is prohibited.
220 logging access from: gosper.idefix.net(OK)-gosper.idefix.net [IPv6:2a10:3781:1669:1:0:0:0:23]
STARTTLS
- Sent: 9 bytes
- Received[30]: 220 2.0.0 Ready to start TLS
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
 - X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 048cb3c00b7550e9ee4a74960f3c54c68bef
        Issuer: CN=R3,O=Let's Encrypt,C=US
        Validity:
                Not Before: Sat Oct 23 13:21:13 UTC 2021
                Not After: Fri Jan 21 13:21:12 UTC 2022
        Subject: CN=postbode.idefix.net
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        00:de:c6:95:f6:da:d5:5d:3b:e2:2c:02:d1:f9:7d:1b
                        67:7b:8b:12:1b:ec:34:1a:23:e7:b5:5b:c0:11:e9:c5
                        89:0e:12:c9:44:31:d9:71:95:94:1c:0e:13:62:81:2e
                        e7:72:af:01:52:fd:e9:28:b0:ae:08:9e:2c:c2:f1:7a
                        5f:58:38:e3:fd:50:00:1e:bd:60:e6:17:c2:2e:03:4e
                        97:da:78:67:04:e4:9d:a0:c2:46:5e:ea:8a:a1:71:87
                        f5:18:79:f6:6a:50:17:55:1f:3e:ed:14:54:19:6c:59
                        2c:2e:f6:b3:d5:8d:f6:d7:e2:ad:d6:08:c6:21:da:57
                        19:f0:e7:7e:6a:ce:77:8c:13:0b:ca:06:26:89:f5:ce
                        d4:d6:92:63:56:1a:46:3f:08:97:72:c0:e7:30:86:5c
                        15:84:79:16:60:12:ba:f0:1c:43:08:5a:66:ab:04:27
                        76:a3:5d:f0:c3:14:b1:36:d8:43:31:ab:6c:a8:53:26
                        8a:85:de:07:b5:e1:c7:79:2c:da:0d:a9:7c:04:0b:d1
                        0d:19:0c:a0:d4:bc:54:b1:a8:8f:80:49:a7:8f:8d:7b
                        b0:0c:4c:4c:27:62:e4:a0:5c:ee:b4:2e:58:ed:91:ce
                        d7:8c:d8:53:3f:63:dd:39:f7:4a:d5:cb:23:83:4d:b8
                        cd
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Key Usage (critical):
                        Digital signature.
                        Key encipherment.
                Key Purpose (not critical):
                        TLS WWW Server.
                        TLS WWW Client.
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Subject Key Identifier (not critical):
                        13a60fab60bb64982cd59688624d72d6fd08e71f
                Authority Key Identifier (not critical):
                        142eb317b75856cbae500940e61faf9d8b14c2c6
                Authority Information Access (not critical):
                        Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
                        Access Location URI: http://r3.o.lencr.org
                        Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
                        Access Location URI: http://r3.i.lencr.org/
                Subject Alternative Name (not critical):
                        DNSname: kzdoos-in.idefix.net
                        DNSname: postbode.idefix.net
                        DNSname: postbox.idefix.net
                Certificate Policies (not critical):
                        2.23.140.1.2.1
                        1.3.6.1.4.1.44947.1.1.1
                                URI: http://cps.letsencrypt.org
                Unknown extension 1.3.6.1.4.1.11129.2.4.2 (not critical):
                        ASCII: ......v...^.h.O.l..._N>Z.....j^.;.. D\*s...|.........G0E. =..Q3EB.W.l.....e..Y.......W..$N.!..?..i..3....&U...C.Z....8..`.....w.F.U.u.. 0...i..}.,At..I.....p.mG...|.........H0F.!.....v..5...0/..0.B[}D..w/c.l.....!...U..:{...R-..0...U..2.......2..
                        Hexdump: 0481f300f1007600dfa55eab68824f1f6cadeeb85f4e3e5aeacda212a46a5e8e3b12c020445c2a730000017cad86edd0000004030047304502203db7e7513345429857066cebbf8784e7650d8c599e16a6badc03a45794d2244e0221008c3fd5ac699ef833c7811d7f2655cca19943cd5ac8a4fa7f38ab146097efaa9c00770046a555eb75fa912030b5a28969f4f37d112c4174befd49b885abf2fc70fe6d470000017cad86edf40000040300483046022100a91bd3077698a6359fc596302f2efa30b4425b7d44fe1b772f638f6c0686e509022100a8d355e3f93a7bcb1cde522db3c530cdf6db55aad532e9f4899b0de08d32e68f
        Signature Algorithm: RSA-SHA256
        Signature:
                64:06:82:9b:6c:9a:ca:2c:32:e1:51:a5:40:06:be:eb
                e5:5f:6a:35:3b:1d:1f:94:7c:12:82:0b:58:c0:72:89
                ee:b1:e1:fe:1a:f9:1a:e6:28:71:b4:15:76:3f:08:7d
                8e:6e:92:59:4e:57:81:29:49:00:ee:58:ae:bb:ac:8e
                41:1d:5f:54:f9:e8:a8:16:b7:8f:70:ba:da:e6:54:a0
                6a:f5:73:de:a1:d3:93:69:6c:9b:6a:08:41:63:df:20
                43:ba:0e:43:6a:8b:7b:5c:9f:34:df:b2:4f:16:d3:ec
                31:4d:2c:01:ce:05:24:24:94:4e:b4:1e:a2:5e:ed:6b
                fc:bf:47:73:4a:cf:21:57:82:95:5b:df:85:05:93:3c
                58:0b:67:ab:28:30:72:74:f5:96:4e:e1:94:40:a7:8f
                dd:4c:eb:89:24:d7:6e:e1:04:ef:4f:ac:8f:72:11:04
                37:5d:17:cd:78:b2:6e:87:e3:d9:a0:4f:8d:68:2b:e5
                bd:1a:be:79:97:42:68:b2:7f:0a:b7:db:73:9e:27:00
                32:68:5b:8c:64:2d:9c:59:97:fa:c9:29:62:93:16:d7
                3c:a5:23:70:fd:11:28:da:3a:b9:96:97:bd:54:29:0c
                90:89:45:f9:13:0b:79:2a:84:be:0c:62:0d:4f:de:bb
Other Information:
        Fingerprint:
                sha1:b0d1d8231baa47012316add5bd17c6f8a3c92cb5
                sha256:765638bdcc4f965f5d92f361c55eca61d0424c3597014496210dcfc0d4108e0a
        Public Key ID:
                sha1:fe80ed6763824c28c41e4b450bc8bdd64444673c
                sha256:df8a5f010c6e302c8ff8359eaa758cbe90ca5bdb6f005bc9f3e323b3714c0f02
        Public Key PIN:
                pin-sha256:34pfAQxuMCyP+DWeqnWMvpDKW9tvAFvJ8+Mjs3FMDwI=


-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgISBIyzwAt1UOnuSnSWDzxUxovvMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMjMxMzIxMTNaFw0yMjAxMjExMzIxMTJaMB4xHDAaBgNVBAMT
E3Bvc3Rib2RlLmlkZWZpeC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDexpX22tVdO+IsAtH5fRtne4sSG+w0GiPntVvAEenFiQ4SyUQx2XGVlBwO
E2KBLudyrwFS/ekosK4InizC8XpfWDjj/VAAHr1g5hfCLgNOl9p4ZwTknaDCRl7q
iqFxh/UYefZqUBdVHz7tFFQZbFksLvaz1Y321+Kt1gjGIdpXGfDnfmrOd4wTC8oG
Jon1ztTWkmNWGkY/CJdywOcwhlwVhHkWYBK68BxDCFpmqwQndqNd8MMUsTbYQzGr
bKhTJoqF3ge14cd5LNoNqXwEC9ENGQyg1LxUsaiPgEmnj417sAxMTCdi5KBc7rQu
WO2RzteM2FM/Y90590rVyyODTbjNAgMBAAGjggJ5MIICdTAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFBOmD6tgu2SYLNWWiGJNctb9COcfMB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMEgGA1UdEQRBMD+CFGt6ZG9vcy1pbi5pZGVmaXgubmV0ghNwb3N0Ym9k
ZS5pZGVmaXgubmV0ghJwb3N0Ym94LmlkZWZpeC5uZXQwTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgDfpV6raIJP
H2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXythu3QAAAEAwBHMEUCID2351Ez
RUKYVwZs67+HhOdlDYxZnhamutwDpFeU0iROAiEAjD/VrGme+DPHgR1/JlXMoZlD
zVrIpPp/OKsUYJfvqpwAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5t
RwAAAXythu30AAAEAwBIMEYCIQCpG9MHdpimNZ/FljAvLvowtEJbfUT+G3cvY49s
BoblCQIhAKjTVeP5OnvLHN5SLbPFMM3221Wq1TLp9ImbDeCNMuaPMA0GCSqGSIb3
DQEBCwUAA4IBAQBkBoKbbJrKLDLhUaVABr7r5V9qNTsdH5R8EoILWMByie6x4f4a
+RrmKHG0FXY/CH2ObpJZTleBKUkA7liuu6yOQR1fVPnoqBa3j3C62uZUoGr1c96h
05NpbJtqCEFj3yBDug5Daot7XJ8037JPFtPsMU0sAc4FJCSUTrQeol7ta/y/R3NK
zyFXgpVb34UFkzxYC2erKDBydPWWTuGUQKeP3UzriSTXbuEE70+sj3IRBDddF814
sm6H49mgT41oK+W9Gr55l0Josn8Kt9tznicAMmhbjGQtnFmX+skpYpMW1zylI3D9
ESjaOrmWl71UKQyQiUX5Ewt5KoS+DGINT967
-----END CERTIFICATE-----

- Certificate[1] info:
 - X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 00912b084acf0c18a753f6d62e25a75f5a
        Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
        Validity:
                Not Before: Fri Sep 04 00:00:00 UTC 2020
                Not After: Mon Sep 15 16:00:00 UTC 2025
        Subject: CN=R3,O=Let's Encrypt,C=US
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        00:bb:02:15:28:cc:f6:a0:94:d3:0f:12:ec:8d:55:92
                        c3:f8:82:f1:99:a6:7a:42:88:a7:5d:26:aa:b5:2b:b9
                        c5:4c:b1:af:8e:6b:f9:75:c8:a3:d7:0f:47:94:14:55
                        35:57:8c:9e:a8:a2:39:19:f5:82:3c:42:a9:4e:6e:f5
                        3b:c3:2e:db:8d:c0:b0:5c:f3:59:38:e7:ed:cf:69:f0
                        5a:0b:1b:be:c0:94:24:25:87:fa:37:71:b3:13:e7:1c
                        ac:e1:9b:ef:db:e4:3b:45:52:45:96:a9:c1:53:ce:34
                        c8:52:ee:b5:ae:ed:8f:de:60:70:e2:a5:54:ab:b6:6d
                        0e:97:a5:40:34:6b:2b:d3:bc:66:eb:66:34:7c:fa:6b
                        8b:8f:57:29:99:f8:30:17:5d:ba:72:6f:fb:81:c5:ad
                        d2:86:58:3d:17:c7:e7:09:bb:f1:2b:f7:86:dc:c1:da
                        71:5d:d4:46:e3:cc:ad:25:c1:88:bc:60:67:75:66:b3
                        f1:18:f7:a2:5c:e6:53:ff:3a:88:b6:47:a5:ff:13:18
                        ea:98:09:77:3f:9d:53:f9:cf:01:e5:f5:a6:70:17:14
                        af:63:a4:ff:99:b3:93:9d:dc:53:a7:06:fe:48:85:1d
                        a1:69:ae:25:75:bb:13:cc:52:03:f5:ed:51:a1:8b:db
                        15
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Key Usage (critical):
                        Digital signature.
                        Certificate signing.
                        CRL signing.
                Key Purpose (not critical):
                        TLS WWW Client.
                        TLS WWW Server.
                Basic Constraints (critical):
                        Certificate Authority (CA): TRUE
                        Path Length Constraint: 0
                Subject Key Identifier (not critical):
                        142eb317b75856cbae500940e61faf9d8b14c2c6
                Authority Key Identifier (not critical):
                        79b459e67bb6e5e40173800888c81a58f6e99b6e
                Authority Information Access (not critical):
                        Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
                        Access Location URI: http://x1.i.lencr.org/
                CRL Distribution points (not critical):
                        URI: http://x1.c.lencr.org/
                Certificate Policies (not critical):
                        2.23.140.1.2.1
                        1.3.6.1.4.1.44947.1.1.1
        Signature Algorithm: RSA-SHA256
        Signature:
                85:ca:4e:47:3e:a3:f7:85:44:85:bc:d5:67:78:b2:98
                63:ad:75:4d:1e:96:3d:33:65:72:54:2d:81:a0:ea:c3
                ed:f8:20:bf:5f:cc:b7:70:00:b7:6e:3b:f6:5e:94:de
                e4:20:9f:a6:ef:8b:b2:03:e7:a2:b5:16:3c:91:ce:b4
                ed:39:02:e7:7c:25:8a:47:e6:65:6e:3f:46:f4:d9:f0
                ce:94:2b:ee:54:ce:12:bc:8c:27:4b:b8:c1:98:2f:a2
                af:cd:71:91:4a:08:b7:c8:b8:23:7b:04:2d:08:f9:08
                57:3e:83:d9:04:33:0a:47:21:78:09:82:27:c3:2a:c8
                9b:b9:ce:5c:f2:64:c8:c0:be:79:c0:4f:8e:6d:44:0c
                5e:92:bb:2e:f7:8b:10:e1:e8:1d:44:29:db:59:20:ed
                63:b9:21:f8:12:26:94:93:57:a0:1d:65:04:c1:0a:22
                ae:10:0d:43:97:a1:18:1f:7e:e0:e0:86:37:b5:5a:b1
                bd:30:bf:87:6e:2b:2a:ff:21:4e:1b:05:c3:f5:18:97
                f0:5e:ac:c3:a5:b8:6a:f0:2e:bc:3b:33:b9:ee:4b:de
                cc:fc:e4:af:84:0b:86:3f:c0:55:43:36:f6:68:e1:36
                17:6a:8e:99:d1:ff:a5:40:a7:34:b7:c0:d0:63:39:35
                39:75:6e:f2:ba:76:c8:93:02:e9:a9:4b:6c:17:ce:0c
                02:d9:bd:81:fb:9f:b7:68:d4:06:65:b3:82:3d:77:53
                f8:8e:79:03:ad:0a:31:07:75:2a:43:d8:55:97:72:c4
                29:0e:f7:c4:5d:4e:c8:ae:46:84:30:d7:f2:85:5f:18
                a1:79:bb:e7:5e:70:8b:07:e1:86:93:c3:b9:8f:dc:61
                71:25:2a:af:df:ed:25:50:52:68:8b:92:dc:e5:d6:b5
                e3:da:7d:d0:87:6c:84:21:31:ae:82:f5:fb:b9:ab:c8
                89:17:3d:e1:4c:e5:38:0e:f6:bd:2b:bd:96:81:14:eb
                d5:db:3d:20:a7:7e:59:d3:e2:f8:58:f9:5b:b8:48:cd
                fe:5c:4f:16:29:fe:1e:55:23:af:c8:11:b0:8d:ea:7c
                93:90:17:2f:fd:ac:a2:09:47:46:3f:f0:e9:b0:b7:ff
                28:4d:68:32:d6:67:5e:1e:69:a3:93:b8:f5:9d:8b:2f
                0b:d2:52:43:a6:6f:32:57:65:4d:32:81:df:38:53:85
                5d:7e:5d:66:29:ea:b8:dd:e4:95:b5:cd:b5:56:12:42
                cd:c4:4e:c6:25:38:44:50:6d:ec:ce:00:55:18:fe:e9
                49:64:d4:4e:ca:97:9c:b4:5b:c0:73:a8:ab:b8:47:c2
Other Information:
        Fingerprint:
                sha1:a053375bfe84e8b748782c7cee15827a6af5a405
                sha256:67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
        Public Key ID:
                sha1:8a9382f4c80408345e5bc2f8d755d3c2e76248cf
                sha256:8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
        Public Key PIN:
                pin-sha256:jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=


-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

- Certificate[2] info:
 - X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 4001772137d4e942b8ee76aa3c640ab7
        Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
        Validity:
                Not Before: Wed Jan 20 19:14:03 UTC 2021
                Not After: Mon Sep 30 18:14:03 UTC 2024
        Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: High (4096 bits)
                Modulus (bits 4096):
                        00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:87
                        be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:75:c2
                        a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:6c:44:93
                        b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:9b:21:7e:d1
                        33:3c:ba:48:f5:dd:79:df:b3:b8:ff:12:f1:21:9a:4b
                        c1:8a:86:71:69:4a:66:66:6c:8f:7e:3c:70:bf:ad:29
                        22:06:f3:e4:c0:e6:80:ae:e2:4b:8f:b7:99:7e:94:03
                        9f:d3:47:97:7c:99:48:23:53:e8:38:ae:4f:0a:6f:83
                        2e:d1:49:57:8c:80:74:b6:da:2f:d0:38:8d:7b:03:70
                        21:1b:75:f2:30:3c:fa:8f:ae:dd:da:63:ab:eb:16:4f
                        c2:8e:11:4b:7e:cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a
                        e0:4c:12:25:0c:70:8d:03:29:a0:e1:53:24:ec:13:d9
                        ee:19:bf:10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07
                        94:f4:63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79
                        6c:76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10
                        e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:07
                        98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:0e:72
                        b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:2a:d6:41
                        e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:1f:35:2f:28
                        17:6c:d2:98:c1:a8:09:64:77:6e:47:37:ba:ce:ac:59
                        5e:68:9d:7f:72:d6:89:c5:06:41:29:3e:59:3e:dd:26
                        f5:24:c9:11:a7:5a:a3:4c:40:1f:46:a1:99:b5:a7:3a
                        51:6e:86:3b:9e:7d:72:a7:12:05:78:59:ed:3e:51:78
                        15:0b:03:8f:8d:d0:2f:05:b2:3e:7b:4a:1c:4b:73:05
                        12:fc:c6:ea:e0:50:13:7c:43:93:74:b3:ca:74:e7:8e
                        1f:01:08:d0:30:d4:5b:71:36:b4:07:ba:c1:30:30:5c
                        48:b7:82:3b:98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd
                        83:04:1b:a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8
                        7c:86:3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5
                        3d:19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db
                        e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:ad
                        4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:33:43
                        4f
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): TRUE
                Key Usage (critical):
                        Certificate signing.
                        CRL signing.
                Authority Information Access (not critical):
                        Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
                        Access Location URI: http://apps.identrust.com/roots/dstrootcax3.p7c
                Authority Key Identifier (not critical):
                        c4a7b1a47b2c71fadbe14b9075ffc41560858910
                Certificate Policies (not critical):
                        2.23.140.1.2.1
                        1.3.6.1.4.1.44947.1.1.1
                                URI: http://cps.root-x1.letsencrypt.org
                CRL Distribution points (not critical):
                        URI: http://crl.identrust.com/DSTROOTCAX3CRL.crl
                Subject Key Identifier (not critical):
                        79b459e67bb6e5e40173800888c81a58f6e99b6e
        Signature Algorithm: RSA-SHA256
        Signature:
                0a:73:00:6c:96:6e:ff:0e:52:d0:ae:dd:8c:e7:5a:06
                ad:2f:a8:e3:8f:bf:c9:0a:03:15:50:c2:e5:6c:42:bb
                6f:9b:f4:b4:4f:c2:44:88:08:75:cc:eb:07:9b:14:62
                6e:78:de:ec:27:ba:39:5c:f5:a2:a1:6e:56:94:70:10
                53:b1:bb:e4:af:d0:a2:c3:2b:01:d4:96:f4:c5:20:35
                33:f9:d8:61:36:e0:71:8d:b4:b8:b5:aa:82:45:95:c0
                f2:a9:23:28:e7:d6:a1:cb:67:08:da:a0:43:2c:aa:1b
                93:1f:c9:de:f5:ab:69:5d:13:f5:5b:86:58:22:ca:4d
                55:e4:70:67:6d:c2:57:c5:46:39:41:cf:8a:58:83:58
                6d:99:fe:57:e8:36:0e:f0:0e:23:aa:fd:88:97:d0:e3
                5c:0e:94:49:b5:b5:17:35:d2:2e:bf:4e:85:ef:18:e0
                85:92:eb:06:3b:6c:29:23:09:60:dc:45:02:4c:12:18
                3b:e9:fb:0e:de:dc:44:f8:58:98:ae:ea:bd:45:45:a1
                88:5d:66:ca:fe:10:e9:6f:82:c8:11:42:0d:fb:e9:ec
                e3:86:00:de:9d:10:e3:38:fa:a4:7d:b1:d8:e8:49:82
                84:06:9b:2b:e8:6b:4f:01:0c:38:77:2e:f9:dd:e7:39
Other Information:
        Fingerprint:
                sha1:933c6ddee95c9c41a40f9f50493d82be03ad87bf
                sha256:6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
        Public Key ID:
                sha1:f816513cfd1b449f2e6b28a197221fb81f514e3c
                sha256:0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
        Public Key PIN:
                pin-sha256:C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=


-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

- Certificate[3] info:
 - X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 44afb080d6a327ba893039862ef8406b
        Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
        Validity:
                Not Before: Sat Sep 30 21:12:19 UTC 2000
                Not After: Thu Sep 30 14:01:15 UTC 2021
        Subject: CN=DST Root CA X3,O=Digital Signature Trust Co.
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

- Status: The certificate is trusted. 
- Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.3
- Server Signature: RSA-PSS-RSAE-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Options:
- Channel binding 'tls-unique': 
- Peer has closed the GnuTLS connection
Even removing the cross-signed signature linking the ISRG Root X1 to the DST Root CA X3 on the server side on the mailserver doesn't make the problem go away. Only removing it from the client side file /etc/mail/tls/sendmail-server.crt makes the error message go away. This is weird!

To fix this problem for good I need to make sure newer certificates for sendmail are requested without the extra certificate at the end. The acme protocol has an option to do this request with an extra parameter 'preferred-chain' as explained in Howto obtain a full certificate chain without a cross-signed ISRG Root X1 - Let's Encrypt community. To do this with the dehydrated client I need to add the following to /etc/dehydrated/config: 
# Preferred issuer chain (default: <unset> -> uses default chain)
PREFERRED_CHAIN="ISRG Root X1"
Tags: ,

IPv6 check

Running test...

Archive

Browse the recent archive:
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
News archive
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites
This page generated by $Id: newsitem.cgi,v 1.62 2023/09/19 14:49:50 koos Exp $ in 0.010267 seconds.