6.1, opensmtpd: unable to verify the first certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

6.1, opensmtpd: unable to verify the first certificate

Harald Dunkel-3
Hi folks,

opensmtpd problem on openbsd 6.1: smtpd.conf says


xname = "mail.example.de"

pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname certificate "/etc/ssl/public/mail.example.de.pem"
ca $xname certificate "/etc/ssl/public/DigiCertCA.crt"

limit mta inet4
listen on lo0 tls pki $xname ca $xname
listen on internal tls pki $xname ca $xname
listen on external tls pki $xname ca $xname
:
:


If I try to verify starttls via openssl s_client from another
host, then it complains

        Verification error: unable to verify the first certificate

# ----------------------------------------------------------------
% openssl s_client -connect mail.example.de:25 -starttls smtp
CONNECTED(00000003)
depth=0 C = DE, ST = NRW, L = Kleinesdorfnahekoeln, O = example AG, CN = *.example.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = NRW, L = Kleinesdorfnahekoeln, O = example AG, CN = *.example.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=NRW/L=Kleinesdorfnahekoeln/O=example AG/CN=*.example.de
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFHDCCBASgAwIBAgIQCvjGPkV+KuTwCbtsU6MMVzANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
:
ROBuAtmbmyGV7JgZibJHwMza1lhyerRndUCluQdrnwxwyxf9mkxq/e3MQ+g2A7YJ
Er5U9dCsV8c/59ehxPis0A==
-----END CERTIFICATE-----
subject=/C=DE/ST=NRW/L=Kleinesdorfnahekoeln/O=example AG/CN=*.example.de
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2000 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 025B8C04418CA6...DC7441262A8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1510221777
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
250 HELP
read:errno=0
# ----------------------------------------------------------------


Apparently the ca chain is not sent by opensmtpd. The "ca" on the
listen lines is ignored.

Is this a known problem? Is there a workaround?

Hopefully you don't mind the question. This is a production host,
i.e. I cannot upgrade to openbsd 6.2 and a new opensmtpd immediately.
Every helpful comment is highly appreciated.


Regards
Harri