This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.706-9 EXIM: SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN

Hi,

after the update i got this  error mesage with my alpha (Globalsgin ) Wildcard SSL Certificate.

2021:05:14-21:30:56 hostname exim-out[32409]: 2021-05-14 21:30:56 1lhdWS-0008QT-JQ [0.0.0.0] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=*.mydomain.de
2021:05:14-21:30:56 hostname exim-out[32409]: 2021-05-14 21:30:56 1lhdWS-0008QT-JQ [0.0.0.0] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=*.mydomain.de
any hints ?


This thread was automatically locked due to age.
Parents
  • Well some checks:

    openssl s_client -showcerts -connect my.server.here:465 -servername my.server.here

    CONNECTED(00000003)
    depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
    verify return:1
    depth=0 CN = *.mydomain.here
    verify return:1
    ---
    Certificate chain
    0 s:CN = *.mydomain.here
      i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

    Server certificate
    subject=CN = *.mydomain.here

    issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 2669 bytes and written 390 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
       Protocol  : TLSv1.3
       Cipher    : TLS_AES_256_GCM_SHA384

    So the Certificate is installed correctly on the sever. (All other ports are the same 443, 993 and so on)

    So why is exim on the firewall telling me he cant verify the cert ?

    And do i still have a secure connection ?

Reply
  • Well some checks:

    openssl s_client -showcerts -connect my.server.here:465 -servername my.server.here

    CONNECTED(00000003)
    depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    verify return:1
    depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
    verify return:1
    depth=0 CN = *.mydomain.here
    verify return:1
    ---
    Certificate chain
    0 s:CN = *.mydomain.here
      i:C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

    Server certificate
    subject=CN = *.mydomain.here

    issuer=C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2

    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 2669 bytes and written 390 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
       Protocol  : TLSv1.3
       Cipher    : TLS_AES_256_GCM_SHA384

    So the Certificate is installed correctly on the sever. (All other ports are the same 443, 993 and so on)

    So why is exim on the firewall telling me he cant verify the cert ?

    And do i still have a secure connection ?

Children
  • I see the exact same Error on my Firewalls with 9.706-9, it happens to only exim-out, no error on exim-in as far as I can see.

    It hapens to Internal Certificates (Firewall sending to Exchang) und External Certificates (Firewall sending to external MX).

    The E-Mails are still getting delivered, no error on that, just in the Logfiles...

    Do you have a business License? If yes you could open a Ticket at Sophos Support.

  • correct. I got an internal postfix / dovecot server....

    I checked exmin doku and exmin is working as it shoiud be. that's what the doku tell's me.

    anyways if you put ( in my case, the fullchain.pem from let's encrypt) into the *,crt of a dovecot or postfix on the  internal mailserver, you should see, that this error message is gone.