Join Log in
Score:0
GGGuilleGGG avatar Server

Exim4 client rejecting TLS certificate

az flag
GGGuilleGGG

I'm having a problem with Exim4 and the TLS certificates, when I try a test connection using gnutls-cli I get this error:

Processed 128 CA certificate(s).
Resolving 'mail.reformaspaco.es:25'...
Connecting to '192.168.150.200:25'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `CN=mail.reformaspaco.es,OU=it,O=Reformas Paco S.A,L=Madrid,ST=C.A Madrid,C=ES', issuer `CN=mail.reformaspaco.es,OU=it,O=Reformas Paco S.A,L=Madrid,ST=C.A Madrid,C=ES', serial 0x6274542f9f5805fb74152c756e6dd773613a7cad, RSA key 2048 bits, signed using RSA-SHA256, activated `2021-11-09 08:57:20 UTC', expires `2024-11-08 08:57:20 UTC', pin-sha256="xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        Public Key ID:
                sha1:xxxxxxxxxxxxxxxxxxxx
                sha256:xxxxxxxxxxxxxxxxxxxxxxxxx
        Public Key PIN:
                pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Public key's random art:
                +--[ RSA 2048]----+
                |.                |
                | +..             |
                |.o= .            |
                |.*E. .           |
                |*.==o . S        |
                |o=+o . .         |
                |+o .             |
                |+o.              |
                |X+               |
                +-----------------+

- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

I'm using Exim 4.93 installed in Ubuntu Server 20.04. Both server and client are installed in virtualbox.

Thanks for your time

127
0 + 0
ssl
Score:1
avatar Server
cn flag
Johhnie

The relevant error is "The certificate issuer is unknown".

That usually means one of several things:

  • The certificate is self-signed and therefor not trusted.
  • The certificate is signed by a CA, but the CA that issued the certificate is not known to the client
  • The certificate is signed with an intermediate certificate of a known CA, and although the CA is known to the client, the server is not including the necessary intermediate certificate, breaking the CA validation chain.

Then looking at the certificate output you see: issuer CN=mail.reformaspaco.es

and you know the cause of the error is that the first reason.

You will need a proper certificate to get rid of that error.

0 + 0
GGGuilleGGG avatar
az flag
GGGuilleGGG
Thank you for your answer, is there a way to configure clients to accept self-signed certificates? This is just for a test server.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.