Welcome to the Linux Foundation Forum!

SSL wont work

Hello everybody,

Today my SSL certificate expired and I replaced it with a new one.
Since then i am not able to send emails via TLS - Mailserver EXIM.

The certificate is issued by Sectigo and is a wildcard.
The old certificate was from Combodo.

Now I thought to myself that the ROOT CA might not be available on a Fedora 25 and a CentOS 7 server.

I tested from this server as follows:
gnutls-cli -s -p 587 172.20.5.100

The result:
*** Starting TLS handshake

  • Certificate type: X.509
  • Got a certificate list of 1 certificates.
  • Certificate [0] info:

    • subject CN = *. example.com ', issuer C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated 2020-05-15 00:00:00 UTC ', expires 2022-08-13 23:59:59 UTC', SHA-1 fingerprint `5361b099b238be2cc50aecffdb50494dc8c04809 '
      Public Key ID:
      f21f313a5991b447512b9468984398b6df62d2ca
      Public key's random art:
      + - [RSA 2048] ---- +
      | + .o .. ++. |
      | + + .o =. . |
      | . . o + o. |
      | . o. |
      | .oS. + |
      | .o = +. o |
      | . + = .. |
      | E o. |
      | . |
      + ----------------- +
  • Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
    *** PKI verification of server certificate failed ...
    *** Fatal error: Error in the certificate.
    *** Handshake has failed

Obviously the issuer disagrees.
I then imported the Sectigo ROOT CA onto both servers. The mistake remains the same.
What I also noticed there is that the ISSUER is also called differently in the ROOT CA.

In the certificate: CN = Sectigo RSA Domain Validation Secure Server CA
In the ROOT CA: CN = USERTrust RSA Certification Authority

I have no idea how to solve this problem anymore.
Maybe I'm on a completely wrong path.

Anyone have an idea?

greeting

Comments

  • liebelein01
    liebelein01 Posts: 2
    edited April 2021

    Hi all,

    as i wrote. Wrong path...

    The problem was, the JAVA keystore was that old, that the newest CAs where not in.
    What means, it was a java not exim problem.
    I use a JAVA program to send mails. I missed that fact in my first post.

    I imported the CA's an all is running smooth as before :-)

    regards

Categories

Upcoming Training