SSL wont work

liebelein01

Hello everybody,

Today my SSL certificate expired and I replaced it with a new one.
Since then i am not able to send emails via TLS - Mailserver EXIM.

The certificate is issued by Sectigo and is a wildcard.
The old certificate was from Combodo.

Now I thought to myself that the ROOT CA might not be available on a Fedora 25 and a CentOS 7 server.

I tested from this server as follows:
gnutls-cli -s -p 587 172.20.5.100

The result:
*** Starting TLS handshake

• Certificate type: X.509
• Got a certificate list of 1 certificates.

• Certificate [0] info:

  • subject CN = *. example.com ', issuer C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated 2020-05-15 00:00:00 UTC ', expires 2022-08-13 23:59:59 UTC', SHA-1 fingerprint `5361b099b238be2cc50aecffdb50494dc8c04809 '
    Public Key ID:
    f21f313a5991b447512b9468984398b6df62d2ca
    Public key's random art:
    + - [RSA 2048] ---- +
    | + .o .. ++. |
    | + + .o =. . |
    | . . o + o. |
    | . o. |
    | .oS. + |
    | .o = +. o |
    | . + = .. |
    | E o. |
    | . |
    + ----------------- +

• Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
  *** PKI verification of server certificate failed ...
  *** Fatal error: Error in the certificate.
  *** Handshake has failed

Obviously the issuer disagrees.
I then imported the Sectigo ROOT CA onto both servers. The mistake remains the same.
What I also noticed there is that the ISSUER is also called differently in the ROOT CA.

In the certificate: CN = Sectigo RSA Domain Validation Secure Server CA
In the ROOT CA: CN = USERTrust RSA Certification Authority

I have no idea how to solve this problem anymore.
Maybe I'm on a completely wrong path.

Anyone have an idea?

greeting

liebelein01

Hi all,

as i wrote. Wrong path...

The problem was, the JAVA keystore was that old, that the newest CAs where not in.
What means, it was a java not exim problem.
I use a JAVA program to send mails. I missed that fact in my first post.

I imported the CA's an all is running smooth as before :-)

regards