I tried to configure Laravel mail client with secure connection via TLS to my email server but in email client I got:
Unable to connect with STARTTLS: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed.
At the same time on my email server in /var/log/maillog I observed the following:
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: connect from unknown[111.211.48.11]
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: SSL_accept error from unknown[111.211.48.11]: 0
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: warning: TLS library problem: 30830:error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:s3_pkt.c:1493:SSL alert number 45:
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: lost connection after STARTTLS from unknown[111.211.48.11]
Aug 8 10:05:46 mail postfix/submission/smtpd[30830]: disconnect from unknown[111.211.48.11]
But Letsencrypt certificate was up to date.
After some investigation I came to the fact that my mail server used an outdated version of OpenSSL, which chokes on Letsencrypt’s cross-signature of the (expired) DST Root CA X3 certificate.
I requested a new certificate using certbot with --preferred-chain "ISRG Root X1" set and restartd postfix and dovecot:
|
1 |
certbot renew --post-hook "systemctl restart dovecot && systemctl restart postfix" --preferred-chain "ISRG Root X1" --force-renewal |
And the problem was resolved!
