Welcome to the Linux Foundation Forum!

SSL wont work

Hello everybody,

Today my SSL certificate expired and I replaced it with a new one.
Since then i am not able to send emails via TLS - Mailserver EXIM.

The certificate is issued by Sectigo and is a wildcard.
The old certificate was from Combodo.

Now I thought to myself that the ROOT CA might not be available on a Fedora 25 and a CentOS 7 server.

I tested from this server as follows:
gnutls-cli -s -p 587 172.20.5.100

The result:
*** Starting TLS handshake

  • Certificate type: X.509
  • Got a certificate list of 1 certificates.
  • Certificate [0] info:

    • subject CN = *. example.com ', issuer C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated 2020-05-15 00:00:00 UTC ', expires 2022-08-13 23:59:59 UTC', SHA-1 fingerprint `5361b099b238be2cc50aecffdb50494dc8c04809 '
      Public Key ID:
      f21f313a5991b447512b9468984398b6df62d2ca
      Public key's random art:
      + - [RSA 2048] ---- +
      | + .o .. ++. |
      | + + .o =. . |
      | . . o + o. |
      | . o. |
      | .oS. + |
      | .o = +. o |
      | . + = .. |
      | E o. |
      | . |
      + ----------------- +
  • Status: The certificate is NOT trusted. The name in the certificate does not match the expected.
    *** PKI verification of server certificate failed ...
    *** Fatal error: Error in the certificate.
    *** Handshake has failed

Obviously the issuer disagrees.
I then imported the Sectigo ROOT CA onto both servers. The mistake remains the same.
What I also noticed there is that the ISSUER is also called differently in the ROOT CA.

In the certificate: CN = Sectigo RSA Domain Validation Secure Server CA
In the ROOT CA: CN = USERTrust RSA Certification Authority

I have no idea how to solve this problem anymore.
Maybe I'm on a completely wrong path.

Anyone have an idea?

greeting

Comments

  • Posts: 2
    edited April 2021

    Hi all,

    as i wrote. Wrong path...

    The problem was, the JAVA keystore was that old, that the newest CAs where not in.
    What means, it was a java not exim problem.
    I use a JAVA program to send mails. I missed that fact in my first post.

    I imported the CA's an all is running smooth as before :-)

    regards

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training