9.706-9 EXIM: SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN

Hi,

after the update i got this  error mesage with my alpha (Globalsgin ) Wildcard SSL Certificate.

2021:05:14-21:30:56 hostname exim-out[32409]: 2021-05-14 21:30:56 1lhdWS-0008QT-JQ [0.0.0.0] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=*.mydomain.de
2021:05:14-21:30:56 hostname exim-out[32409]: 2021-05-14 21:30:56 1lhdWS-0008QT-JQ [0.0.0.0] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=*.mydomain.de
any hints ?


none
[bearbeitet von: WolfgangS um 7:42 PM (GMT -7) am 14 May 2021]

Top Replies

  • Hi ,

    This message is caused by the tls_verify_certificate feature in Exim. If Exim fails to verify the certificate provided by the remote mail server, it’ll log this message. However, this does…

  • Well some checks:

    openssl s_client -showcerts -connect my.server.here:465 -servername my.server.here

    CONNECTED(00000003)
    depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
    verify return:1
    depth=0 CN = *.mydomain.here
    verify return:1
    ---
    Certificate chain
    0 s:CN = *.mydomain.here
      i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

    Server certificate
    subject=CN = *.mydomain.here

    issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 2669 bytes and written 390 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
       Protocol  : TLSv1.3
       Cipher    : TLS_AES_256_GCM_SHA384

    So the Certificate is installed correctly on the sever. (All other ports are the same 443, 993 and so on)

    So why is exim on the firewall telling me he cant verify the cert ?

    And do i still have a secure connection ?

  • I see the exact same Error on my Firewalls with 9.706-9, it happens to only exim-out, no error on exim-in as far as I can see.

    It hapens to Internal Certificates (Firewall sending to Exchang) und External Certificates (Firewall sending to external MX).

    The E-Mails are still getting delivered, no error on that, just in the Logfiles...

    Do you have a business License? If yes you could open a Ticket at Sophos Support.

  • correct. I got an internal postfix / dovecot server....

    I checked exmin doku and exmin is working as it shoiud be. that's what the doku tell's me.

    anyways if you put ( in my case, the fullchain.pem from let's encrypt) into the *,crt of a dovecot or postfix on the  internal mailserver, you should see, that this error message is gone.

  • Same problem here, but some PDF Files in EMails did not working after the Update.

  • Do you have 9.706-8 or 9.706-9 installed?

    With 9.706-8 there is a Bug with Attachments.

  • we have 9.706-8. Thx for the hint.

  • same here, we are using newest firmware --> 9.706-9 (update from 9.705-3) and we have in smtp logs follwing errors now:

    Errors with external smtp mailservers:

    1: SSL verify error: depth=1 error=unable to get local issuer certificate cert=/C=US/O=Google Trust Services/CN=GTS CA 1O1

    or 2: SSL verify error: depth=1 error=unable to get local issuer certificate cert=/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
    ------------------------------------------------------------------------------------
    and also with our internal mailserver certificate (its a certificate from a public cert company --> Sectigo (Comodo):
    SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=SRVEX2019
    Mailflow still works, but sophos need to solve this problem....
     
  • Hallo Jonas,

    You should open a case with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have a case open for this Issue now #03997644.

  • Hi ,

    This message is caused by the tls_verify_certificate feature in Exim. If Exim fails to verify the certificate provided by the remote mail server, it’ll log this message. However, this does not affect email traffic, and TLS works as expected. This is only a warning message and does not affect any functionality.

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.