1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • Re: =?UTF-8?B?Y2VydC1pc3N1ZXI9L0M9VVMvTz1MZXQncysyMEVuY3J5cHQvQ049UjMs?

    From HQuest@21:1/5 to All on Fri Jan 5 02:16:44 2024
    Claus can probably correct me, but that's what I use for SSL at both server and client settings on my .m4 file:

    define(`confCACERT_PATH', `/etc/ssl/certs')
    define(`confCACERT', `/etc/ssl/private/chain.pem')
    define(`confSERVER_CERT', `/etc/ssl/private/cert.pem')
    define(`confSERVER_KEY', `/etc/ssl/private/cert.key')
    define(`confCLIENT_CERT', `/etc/ssl/private/cert.pem')
    define(`confCLIENT_KEY', `/etc/ssl/private/cert.key')

    Replacing paths and cert/key files by your own.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From HQuest@21:1/5 to All on Mon Jan 22 03:22:50 2024
    The DST Root CA X3 certificate is not part of the default ca-certificates package from Mozilla, and likely not found into your certs/ folder - unless you manually added it *and* updated your certificate hooks (via update-ca-cerificate shell script).
    Alternatively, if you are using certbot to renew your certificates, add flag --preferred-chain "ISRG Root X1", so it uses the self-signed certificate and not the cross-signed ISRG Root Certificate, signed by the DST Root CA.

    For more info on the LE certificate chain, see https://letsencrypt.org/certificates/ .

    Hope this helps - it works like a champ over here with the self signed cert and the flags I originally sent you above.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From HQuest@21:1/5 to All on Mon Jan 22 17:00:55 2024
    Probably because you have both CACERT and CACERT_PATH, it is using the CACERT value first (i.e., your chain.pem certificate that contains the expired certificate) over the CACERT_PATH folder. Why certbot is issuing you a chain with an expired certificate
    is something you have to check with the Let's Encrypt folks, but you might want to remove the chain.pem off your configuration and use the non-expired certificate under /etc/ssl/certs, then - or, as I suggested, rely on one less certificate in the chain
    and use a specific root certificate whenever requesting your next certificates. But sure sendmail is not to be blamed here.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)