[BlueOnyx:26510] Re: Strange SSL error

Michael Stauber mstauber at blueonyx.it
Sat Sep 23 19:36:28 -05 2023 

Hi Rodrigo,

> We are still ahving this problem on a newly yummed 5211, Server offer the > BX.Host certificate instead of the domain when using> outlook with 
pops and smtps ,> > Certificate is letsencrypt> > Do I have to install 
an specific package to receive the correction, The> domain only has 1 alias.
No, this should already work fine. You could try to restart CCEd to 
force an update of the SSL configuration for Postfix and Dovecot, though:

/usr/sausalito/sbin/cced.init restart

You can also test the TLS connection agains Postfix this way:

openssl s_client -starttls smtp -connect <server>:587

Just replace <server> with the fully qualified domain name you want to test.

Example:

openssl s_client -starttls smtp -connect 5210r2.smd.net:587

That is a Vsite on a 5210R with an LE cert. In the output the relevant 
lines are this:

mstauber at beast:~$ openssl s_client -starttls smtp -connect 
5210r2.smd.net:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5210r2.smd.net	
verify return:1
---
Certificate chain
  0 s:CN = 5210r2.smd.net
    i:C = US, O = Let's Encrypt, CN = R3
    a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
    v:NotBefore: Sep 10 07:50:50 2023 GMT; NotAfter: Dec  9 07:50:49 
2023 GMT
  1 s:C = US, O = Let's Encrypt, CN = R3
    i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 
2025 GMT
  2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
    i:O = Digital Signature Trust Co., CN = DST Root CA X3
    a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
    v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 
2024 GMT
---

Above it shows the name of the certificate that answered:

depth=0 CN = 5210r2.smd.net

Also further below in the output below the raw certificate you can see 
something like this:

-----END CERTIFICATE-----
subject=CN = 5210r2.smd.net
issuer=C = US, O = Let's Encrypt, CN = R3

That also (again) tells us which domain the cert is valid for and the 
issuer.

Try it with the FQDN of the Vsite that is not working and see if the 
cert validity that shows up is for the Vsite or for the server.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list