2021-10-23
Something weird with sendmail and Let's Encrypt
Noticed this in the logs:
Sep 30 14:02:04 wozniak sendmail[25878]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 Sep 30 15:02:04 wozniak sendmail[27149]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 Sep 30 16:02:04 wozniak sendmail[28400]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 Sep 30 17:02:04 wozniak sendmail[29654]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256This is exactly the expiry of the DST Root CA:koos@wozniak:/usr/share/ca-certificates/mozilla$ openssl x509 -in DST_Root_CA_X3.crt -noout -startdate -enddate notBefore=Sep 30 21:12:19 2000 GMT notAfter=Sep 30 14:01:15 2021 GMTBut now to find out where this goes wrong... Since sendmail uses gnutls, I debugged it with gnutls-cli but I can't find a problem using that method:koos@gosper:~$ gnutls-cli -V --starttls --port 587 postbode.idefix.net Processed 126 CA certificate(s). Resolving 'postbode.idefix.net:587'... Connecting to '2a10:3781:1669:1::23:587'... - Simple Client Mode: - Received[379]: 220-gosper.idefix.net ESMTP Sendmail 8.15.2/8.15.2/Debian-14~deb10u1; Sat, 23 Oct 2021 16:57:14 +0200; (No UCE/UBE) 220- This is a private SMTP server. 220- The use of this or any related system for the transmission of 220- Unsollicited Bulk E-mail (UBE) is prohibited. 220 logging access from: gosper.idefix.net(OK)-gosper.idefix.net [IPv6:2a10:3781:1669:1:0:0:0:23] STARTTLS - Sent: 9 bytes - Received[30]: 220 2.0.0 Ready to start TLS *** Starting TLS handshake - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 048cb3c00b7550e9ee4a74960f3c54c68bef Issuer: CN=R3,O=Let's Encrypt,C=US Validity: Not Before: Sat Oct 23 13:21:13 UTC 2021 Not After: Fri Jan 21 13:21:12 UTC 2022 Subject: CN=postbode.idefix.net Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:de:c6:95:f6:da:d5:5d:3b:e2:2c:02:d1:f9:7d:1b 67:7b:8b:12:1b:ec:34:1a:23:e7:b5:5b:c0:11:e9:c5 89:0e:12:c9:44:31:d9:71:95:94:1c:0e:13:62:81:2e e7:72:af:01:52:fd:e9:28:b0:ae:08:9e:2c:c2:f1:7a 5f:58:38:e3:fd:50:00:1e:bd:60:e6:17:c2:2e:03:4e 97:da:78:67:04:e4:9d:a0:c2:46:5e:ea:8a:a1:71:87 f5:18:79:f6:6a:50:17:55:1f:3e:ed:14:54:19:6c:59 2c:2e:f6:b3:d5:8d:f6:d7:e2:ad:d6:08:c6:21:da:57 19:f0:e7:7e:6a:ce:77:8c:13:0b:ca:06:26:89:f5:ce d4:d6:92:63:56:1a:46:3f:08:97:72:c0:e7:30:86:5c 15:84:79:16:60:12:ba:f0:1c:43:08:5a:66:ab:04:27 76:a3:5d:f0:c3:14:b1:36:d8:43:31:ab:6c:a8:53:26 8a:85:de:07:b5:e1:c7:79:2c:da:0d:a9:7c:04:0b:d1 0d:19:0c:a0:d4:bc:54:b1:a8:8f:80:49:a7:8f:8d:7b b0:0c:4c:4c:27:62:e4:a0:5c:ee:b4:2e:58:ed:91:ce d7:8c:d8:53:3f:63:dd:39:f7:4a:d5:cb:23:83:4d:b8 cd Exponent (bits 24): 01:00:01 Extensions: Key Usage (critical): Digital signature. Key encipherment. Key Purpose (not critical): TLS WWW Server. TLS WWW Client. Basic Constraints (critical): Certificate Authority (CA): FALSE Subject Key Identifier (not critical): 13a60fab60bb64982cd59688624d72d6fd08e71f Authority Key Identifier (not critical): 142eb317b75856cbae500940e61faf9d8b14c2c6 Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://r3.o.lencr.org Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://r3.i.lencr.org/ Subject Alternative Name (not critical): DNSname: kzdoos-in.idefix.net DNSname: postbode.idefix.net DNSname: postbox.idefix.net Certificate Policies (not critical): 2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1 URI: http://cps.letsencrypt.org Unknown extension 1.3.6.1.4.1.11129.2.4.2 (not critical): ASCII: ......v...^.h.O.l..._N>Z.....j^.;.. D\*s...|.........G0E. =..Q3EB.W.l.....e..Y.......W..$N.!..?..i..3....&U...C.Z....8..`.....w.F.U.u.. 0...i..}.,At..I.....p.mG...|.........H0F.!.....v..5...0/..0.B[}D..w/c.l.....!...U..:{...R-..0...U..2.......2.. Hexdump: 0481f300f1007600dfa55eab68824f1f6cadeeb85f4e3e5aeacda212a46a5e8e3b12c020445c2a730000017cad86edd0000004030047304502203db7e7513345429857066cebbf8784e7650d8c599e16a6badc03a45794d2244e0221008c3fd5ac699ef833c7811d7f2655cca19943cd5ac8a4fa7f38ab146097efaa9c00770046a555eb75fa912030b5a28969f4f37d112c4174befd49b885abf2fc70fe6d470000017cad86edf40000040300483046022100a91bd3077698a6359fc596302f2efa30b4425b7d44fe1b772f638f6c0686e509022100a8d355e3f93a7bcb1cde522db3c530cdf6db55aad532e9f4899b0de08d32e68f Signature Algorithm: RSA-SHA256 Signature: 64:06:82:9b:6c:9a:ca:2c:32:e1:51:a5:40:06:be:eb e5:5f:6a:35:3b:1d:1f:94:7c:12:82:0b:58:c0:72:89 ee:b1:e1:fe:1a:f9:1a:e6:28:71:b4:15:76:3f:08:7d 8e:6e:92:59:4e:57:81:29:49:00:ee:58:ae:bb:ac:8e 41:1d:5f:54:f9:e8:a8:16:b7:8f:70:ba:da:e6:54:a0 6a:f5:73:de:a1:d3:93:69:6c:9b:6a:08:41:63:df:20 43:ba:0e:43:6a:8b:7b:5c:9f:34:df:b2:4f:16:d3:ec 31:4d:2c:01:ce:05:24:24:94:4e:b4:1e:a2:5e:ed:6b fc:bf:47:73:4a:cf:21:57:82:95:5b:df:85:05:93:3c 58:0b:67:ab:28:30:72:74:f5:96:4e:e1:94:40:a7:8f dd:4c:eb:89:24:d7:6e:e1:04:ef:4f:ac:8f:72:11:04 37:5d:17:cd:78:b2:6e:87:e3:d9:a0:4f:8d:68:2b:e5 bd:1a:be:79:97:42:68:b2:7f:0a:b7:db:73:9e:27:00 32:68:5b:8c:64:2d:9c:59:97:fa:c9:29:62:93:16:d7 3c:a5:23:70:fd:11:28:da:3a:b9:96:97:bd:54:29:0c 90:89:45:f9:13:0b:79:2a:84:be:0c:62:0d:4f:de:bb Other Information: Fingerprint: sha1:b0d1d8231baa47012316add5bd17c6f8a3c92cb5 sha256:765638bdcc4f965f5d92f361c55eca61d0424c3597014496210dcfc0d4108e0a Public Key ID: sha1:fe80ed6763824c28c41e4b450bc8bdd64444673c sha256:df8a5f010c6e302c8ff8359eaa758cbe90ca5bdb6f005bc9f3e323b3714c0f02 Public Key PIN: pin-sha256:34pfAQxuMCyP+DWeqnWMvpDKW9tvAFvJ8+Mjs3FMDwI= -----BEGIN CERTIFICATE----- MIIFVzCCBD+gAwIBAgISBIyzwAt1UOnuSnSWDzxUxovvMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTEwMjMxMzIxMTNaFw0yMjAxMjExMzIxMTJaMB4xHDAaBgNVBAMT E3Bvc3Rib2RlLmlkZWZpeC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDexpX22tVdO+IsAtH5fRtne4sSG+w0GiPntVvAEenFiQ4SyUQx2XGVlBwO E2KBLudyrwFS/ekosK4InizC8XpfWDjj/VAAHr1g5hfCLgNOl9p4ZwTknaDCRl7q iqFxh/UYefZqUBdVHz7tFFQZbFksLvaz1Y321+Kt1gjGIdpXGfDnfmrOd4wTC8oG Jon1ztTWkmNWGkY/CJdywOcwhlwVhHkWYBK68BxDCFpmqwQndqNd8MMUsTbYQzGr bKhTJoqF3ge14cd5LNoNqXwEC9ENGQyg1LxUsaiPgEmnj417sAxMTCdi5KBc7rQu WO2RzteM2FM/Y90590rVyyODTbjNAgMBAAGjggJ5MIICdTAOBgNVHQ8BAf8EBAMC BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw HQYDVR0OBBYEFBOmD6tgu2SYLNWWiGJNctb9COcfMB8GA1UdIwQYMBaAFBQusxe3 WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0 cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j ci5vcmcvMEgGA1UdEQRBMD+CFGt6ZG9vcy1pbi5pZGVmaXgubmV0ghNwb3N0Ym9k ZS5pZGVmaXgubmV0ghJwb3N0Ym94LmlkZWZpeC5uZXQwTAYDVR0gBEUwQzAIBgZn gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s ZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgDfpV6raIJP H2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXythu3QAAAEAwBHMEUCID2351Ez RUKYVwZs67+HhOdlDYxZnhamutwDpFeU0iROAiEAjD/VrGme+DPHgR1/JlXMoZlD zVrIpPp/OKsUYJfvqpwAdwBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5t RwAAAXythu30AAAEAwBIMEYCIQCpG9MHdpimNZ/FljAvLvowtEJbfUT+G3cvY49s BoblCQIhAKjTVeP5OnvLHN5SLbPFMM3221Wq1TLp9ImbDeCNMuaPMA0GCSqGSIb3 DQEBCwUAA4IBAQBkBoKbbJrKLDLhUaVABr7r5V9qNTsdH5R8EoILWMByie6x4f4a +RrmKHG0FXY/CH2ObpJZTleBKUkA7liuu6yOQR1fVPnoqBa3j3C62uZUoGr1c96h 05NpbJtqCEFj3yBDug5Daot7XJ8037JPFtPsMU0sAc4FJCSUTrQeol7ta/y/R3NK zyFXgpVb34UFkzxYC2erKDBydPWWTuGUQKeP3UzriSTXbuEE70+sj3IRBDddF814 sm6H49mgT41oK+W9Gr55l0Josn8Kt9tznicAMmhbjGQtnFmX+skpYpMW1zylI3D9 ESjaOrmWl71UKQyQiUX5Ewt5KoS+DGINT967 -----END CERTIFICATE----- - Certificate[1] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 00912b084acf0c18a753f6d62e25a75f5a Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US Validity: Not Before: Fri Sep 04 00:00:00 UTC 2020 Not After: Mon Sep 15 16:00:00 UTC 2025 Subject: CN=R3,O=Let's Encrypt,C=US Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:bb:02:15:28:cc:f6:a0:94:d3:0f:12:ec:8d:55:92 c3:f8:82:f1:99:a6:7a:42:88:a7:5d:26:aa:b5:2b:b9 c5:4c:b1:af:8e:6b:f9:75:c8:a3:d7:0f:47:94:14:55 35:57:8c:9e:a8:a2:39:19:f5:82:3c:42:a9:4e:6e:f5 3b:c3:2e:db:8d:c0:b0:5c:f3:59:38:e7:ed:cf:69:f0 5a:0b:1b:be:c0:94:24:25:87:fa:37:71:b3:13:e7:1c ac:e1:9b:ef:db:e4:3b:45:52:45:96:a9:c1:53:ce:34 c8:52:ee:b5:ae:ed:8f:de:60:70:e2:a5:54:ab:b6:6d 0e:97:a5:40:34:6b:2b:d3:bc:66:eb:66:34:7c:fa:6b 8b:8f:57:29:99:f8:30:17:5d:ba:72:6f:fb:81:c5:ad d2:86:58:3d:17:c7:e7:09:bb:f1:2b:f7:86:dc:c1:da 71:5d:d4:46:e3:cc:ad:25:c1:88:bc:60:67:75:66:b3 f1:18:f7:a2:5c:e6:53:ff:3a:88:b6:47:a5:ff:13:18 ea:98:09:77:3f:9d:53:f9:cf:01:e5:f5:a6:70:17:14 af:63:a4:ff:99:b3:93:9d:dc:53:a7:06:fe:48:85:1d a1:69:ae:25:75:bb:13:cc:52:03:f5:ed:51:a1:8b:db 15 Exponent (bits 24): 01:00:01 Extensions: Key Usage (critical): Digital signature. Certificate signing. CRL signing. Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Basic Constraints (critical): Certificate Authority (CA): TRUE Path Length Constraint: 0 Subject Key Identifier (not critical): 142eb317b75856cbae500940e61faf9d8b14c2c6 Authority Key Identifier (not critical): 79b459e67bb6e5e40173800888c81a58f6e99b6e Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://x1.i.lencr.org/ CRL Distribution points (not critical): URI: http://x1.c.lencr.org/ Certificate Policies (not critical): 2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1 Signature Algorithm: RSA-SHA256 Signature: 85:ca:4e:47:3e:a3:f7:85:44:85:bc:d5:67:78:b2:98 63:ad:75:4d:1e:96:3d:33:65:72:54:2d:81:a0:ea:c3 ed:f8:20:bf:5f:cc:b7:70:00:b7:6e:3b:f6:5e:94:de e4:20:9f:a6:ef:8b:b2:03:e7:a2:b5:16:3c:91:ce:b4 ed:39:02:e7:7c:25:8a:47:e6:65:6e:3f:46:f4:d9:f0 ce:94:2b:ee:54:ce:12:bc:8c:27:4b:b8:c1:98:2f:a2 af:cd:71:91:4a:08:b7:c8:b8:23:7b:04:2d:08:f9:08 57:3e:83:d9:04:33:0a:47:21:78:09:82:27:c3:2a:c8 9b:b9:ce:5c:f2:64:c8:c0:be:79:c0:4f:8e:6d:44:0c 5e:92:bb:2e:f7:8b:10:e1:e8:1d:44:29:db:59:20:ed 63:b9:21:f8:12:26:94:93:57:a0:1d:65:04:c1:0a:22 ae:10:0d:43:97:a1:18:1f:7e:e0:e0:86:37:b5:5a:b1 bd:30:bf:87:6e:2b:2a:ff:21:4e:1b:05:c3:f5:18:97 f0:5e:ac:c3:a5:b8:6a:f0:2e:bc:3b:33:b9:ee:4b:de cc:fc:e4:af:84:0b:86:3f:c0:55:43:36:f6:68:e1:36 17:6a:8e:99:d1:ff:a5:40:a7:34:b7:c0:d0:63:39:35 39:75:6e:f2:ba:76:c8:93:02:e9:a9:4b:6c:17:ce:0c 02:d9:bd:81:fb:9f:b7:68:d4:06:65:b3:82:3d:77:53 f8:8e:79:03:ad:0a:31:07:75:2a:43:d8:55:97:72:c4 29:0e:f7:c4:5d:4e:c8:ae:46:84:30:d7:f2:85:5f:18 a1:79:bb:e7:5e:70:8b:07:e1:86:93:c3:b9:8f:dc:61 71:25:2a:af:df:ed:25:50:52:68:8b:92:dc:e5:d6:b5 e3:da:7d:d0:87:6c:84:21:31:ae:82:f5:fb:b9:ab:c8 89:17:3d:e1:4c:e5:38:0e:f6:bd:2b:bd:96:81:14:eb d5:db:3d:20:a7:7e:59:d3:e2:f8:58:f9:5b:b8:48:cd fe:5c:4f:16:29:fe:1e:55:23:af:c8:11:b0:8d:ea:7c 93:90:17:2f:fd:ac:a2:09:47:46:3f:f0:e9:b0:b7:ff 28:4d:68:32:d6:67:5e:1e:69:a3:93:b8:f5:9d:8b:2f 0b:d2:52:43:a6:6f:32:57:65:4d:32:81:df:38:53:85 5d:7e:5d:66:29:ea:b8:dd:e4:95:b5:cd:b5:56:12:42 cd:c4:4e:c6:25:38:44:50:6d:ec:ce:00:55:18:fe:e9 49:64:d4:4e:ca:97:9c:b4:5b:c0:73:a8:ab:b8:47:c2 Other Information: Fingerprint: sha1:a053375bfe84e8b748782c7cee15827a6af5a405 sha256:67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd Public Key ID: sha1:8a9382f4c80408345e5bc2f8d755d3c2e76248cf sha256:8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d Public Key PIN: pin-sha256:jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0= -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- - Certificate[2] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 4001772137d4e942b8ee76aa3c640ab7 Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Validity: Not Before: Wed Jan 20 19:14:03 UTC 2021 Not After: Mon Sep 30 18:14:03 UTC 2024 Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US Subject Public Key Algorithm: RSA Algorithm Security Level: High (4096 bits) Modulus (bits 4096): 00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:87 be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:75:c2 a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:6c:44:93 b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:9b:21:7e:d1 33:3c:ba:48:f5:dd:79:df:b3:b8:ff:12:f1:21:9a:4b c1:8a:86:71:69:4a:66:66:6c:8f:7e:3c:70:bf:ad:29 22:06:f3:e4:c0:e6:80:ae:e2:4b:8f:b7:99:7e:94:03 9f:d3:47:97:7c:99:48:23:53:e8:38:ae:4f:0a:6f:83 2e:d1:49:57:8c:80:74:b6:da:2f:d0:38:8d:7b:03:70 21:1b:75:f2:30:3c:fa:8f:ae:dd:da:63:ab:eb:16:4f c2:8e:11:4b:7e:cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a e0:4c:12:25:0c:70:8d:03:29:a0:e1:53:24:ec:13:d9 ee:19:bf:10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07 94:f4:63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79 6c:76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10 e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:07 98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:0e:72 b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:2a:d6:41 e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:1f:35:2f:28 17:6c:d2:98:c1:a8:09:64:77:6e:47:37:ba:ce:ac:59 5e:68:9d:7f:72:d6:89:c5:06:41:29:3e:59:3e:dd:26 f5:24:c9:11:a7:5a:a3:4c:40:1f:46:a1:99:b5:a7:3a 51:6e:86:3b:9e:7d:72:a7:12:05:78:59:ed:3e:51:78 15:0b:03:8f:8d:d0:2f:05:b2:3e:7b:4a:1c:4b:73:05 12:fc:c6:ea:e0:50:13:7c:43:93:74:b3:ca:74:e7:8e 1f:01:08:d0:30:d4:5b:71:36:b4:07:ba:c1:30:30:5c 48:b7:82:3b:98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd 83:04:1b:a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8 7c:86:3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5 3d:19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:ad 4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:33:43 4f Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Key Usage (critical): Certificate signing. CRL signing. Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://apps.identrust.com/roots/dstrootcax3.p7c Authority Key Identifier (not critical): c4a7b1a47b2c71fadbe14b9075ffc41560858910 Certificate Policies (not critical): 2.23.140.1.2.1 1.3.6.1.4.1.44947.1.1.1 URI: http://cps.root-x1.letsencrypt.org CRL Distribution points (not critical): URI: http://crl.identrust.com/DSTROOTCAX3CRL.crl Subject Key Identifier (not critical): 79b459e67bb6e5e40173800888c81a58f6e99b6e Signature Algorithm: RSA-SHA256 Signature: 0a:73:00:6c:96:6e:ff:0e:52:d0:ae:dd:8c:e7:5a:06 ad:2f:a8:e3:8f:bf:c9:0a:03:15:50:c2:e5:6c:42:bb 6f:9b:f4:b4:4f:c2:44:88:08:75:cc:eb:07:9b:14:62 6e:78:de:ec:27:ba:39:5c:f5:a2:a1:6e:56:94:70:10 53:b1:bb:e4:af:d0:a2:c3:2b:01:d4:96:f4:c5:20:35 33:f9:d8:61:36:e0:71:8d:b4:b8:b5:aa:82:45:95:c0 f2:a9:23:28:e7:d6:a1:cb:67:08:da:a0:43:2c:aa:1b 93:1f:c9:de:f5:ab:69:5d:13:f5:5b:86:58:22:ca:4d 55:e4:70:67:6d:c2:57:c5:46:39:41:cf:8a:58:83:58 6d:99:fe:57:e8:36:0e:f0:0e:23:aa:fd:88:97:d0:e3 5c:0e:94:49:b5:b5:17:35:d2:2e:bf:4e:85:ef:18:e0 85:92:eb:06:3b:6c:29:23:09:60:dc:45:02:4c:12:18 3b:e9:fb:0e:de:dc:44:f8:58:98:ae:ea:bd:45:45:a1 88:5d:66:ca:fe:10:e9:6f:82:c8:11:42:0d:fb:e9:ec e3:86:00:de:9d:10:e3:38:fa:a4:7d:b1:d8:e8:49:82 84:06:9b:2b:e8:6b:4f:01:0c:38:77:2e:f9:dd:e7:39 Other Information: Fingerprint: sha1:933c6ddee95c9c41a40f9f50493d82be03ad87bf sha256:6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f Public Key ID: sha1:f816513cfd1b449f2e6b28a197221fb81f514e3c sha256:0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3 Public Key PIN: pin-sha256:C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M= -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- - Certificate[3] info: - X.509 Certificate Information: Version: 3 Serial Number (hex): 44afb080d6a327ba893039862ef8406b Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co. Validity: Not Before: Sat Sep 30 21:12:19 UTC 2000 Not After: Thu Sep 30 14:01:15 UTC 2021 Subject: CN=DST Root CA X3,O=Digital Signature Trust Co. Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- - Status: The certificate is trusted. - Description: (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) - Ephemeral EC Diffie-Hellman parameters - Using curve: SECP256R1 - Curve size: 256 bits - Version: TLS1.3 - Server Signature: RSA-PSS-RSAE-SHA256 - Cipher: AES-256-GCM - MAC: AEAD - Options: - Channel binding 'tls-unique': - Peer has closed the GnuTLS connectionEven removing the cross-signed signature linking the ISRG Root X1 to the DST Root CA X3 on the server side on the mailserver doesn't make the problem go away. Only removing it from the client side file /etc/mail/tls/sendmail-server.crt makes the error message go away. This is weird! To fix this problem for good I need to make sure newer certificates for sendmail are requested without the extra certificate at the end. The acme protocol has an option to do this request with an extra parameter 'preferred-chain' as explained in Howto obtain a full certificate chain without a cross-signed ISRG Root X1 - Let's Encrypt community. To do this with the dehydrated client I need to add the following to /etc/dehydrated/config:# Preferred issuer chain (default: <unset> -> uses default chain) PREFERRED_CHAIN="ISRG Root X1"