9.706-9 EXIM: SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN

Well some checks:

openssl s_client -showcerts -connect my.server.here:465 -servername my.server.here

CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 CN = *.mydomain.here
verify return:1
---
Certificate chain
0 s:CN = *.mydomain.here
  i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Server certificate
subject=CN = *.mydomain.here

issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2669 bytes and written 390 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
   Protocol  : TLSv1.3
   Cipher    : TLS_AES_256_GCM_SHA384

So the Certificate is installed correctly on the sever. (All other ports are the same 443, 993 and so on)

So why is exim on the firewall telling me he cant verify the cert ?

And do i still have a secure connection ?

I see the exact same Error on my Firewalls with 9.706-9, it happens to only exim-out, no error on exim-in as far as I can see.

It hapens to Internal Certificates (Firewall sending to Exchang) und External Certificates (Firewall sending to external MX).

The E-Mails are still getting delivered, no error on that, just in the Logfiles...

Do you have a business License? If yes you could open a Ticket at Sophos Support.

correct. I got an internal postfix / dovecot server....

I checked exmin doku and exmin is working as it shoiud be. that's what the doku tell's me.

anyways if you put ( in my case, the fullchain.pem from let's encrypt) into the *,crt of a dovecot or postfix on the  internal mailserver, you should see, that this error message is gone.

Same problem here, but some PDF Files in EMails did not working after the Update.

Do you have 9.706-8 or 9.706-9 installed?

With 9.706-8 there is a Bug with Attachments.

we have 9.706-8. Thx for the hint.

same here, we are using newest firmware --> 9.706-9 (update from 9.705-3) and we have in smtp logs follwing errors now:

Errors with external smtp mailservers:

1: SSL verify error: depth=1 error=unable to get local issuer certificate cert=/C=US/O=Google Trust Services/CN=GTS CA 1O1

Hallo Jonas,

You should open a case with Sophos Support.

Cheers - Bob

I have a case open for this Issue now #03997644.

Hi WolfgangS,

This message is caused by the tls_verify_certificate feature in Exim. If Exim fails to verify the certificate provided by the remote mail server, it’ll log this message. However, this does not affect email traffic, and TLS works as expected. This is only a warning message and does not affect any functionality.

Thanks,