Closed williamdes closed 2 weeks ago
Do you mean the TLSA DNS records created by Stalwart? Rustls should provide the full chain, you can verify this with openssl
.
Do you mean the TLSA DNS records created by Stalwart?
No, I created them myself. But they should be the same idea.
Rustls should provide the full chain, you can verify this with
openssl
.
I verified and as you can see on the transcript: the CA cert is mising
As you can see here, Stalwart returns the full certificate chain.
Your server is correctly returning the CA's cert:
% openssl s_client -starttls smtp -connect mx2.mails.wdes.eu:25 -showcerts
Connecting to 2.57.253.83
CONNECTED(00000005)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E6
verify return:1
depth=0 CN=mails.wdes.eu
verify return:1
---
Certificate chain
0 s:CN=mails.wdes.eu
i:C=US, O=Let's Encrypt, CN=E6
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Jun 12 18:32:44 2024 GMT; NotAfter: Sep 10 18:32:43 2024 GMT
-----BEGIN CERTIFICATE-----
MIIDjDCCAxKgAwIBAgISA5MKZ/xJazqxXoa+My6LhFwqMAoGCCqGSM49BAMDMDIx
[...]
HSERM2MNIdmeN25uJ2ekFfpDHn+KnwuVtkMyBcToSnjh+KR4kCkmkwG6zwpeAISQ
-----END CERTIFICATE-----
1 s:C=US, O=Let's Encrypt, CN=E6
i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
[...]
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=mails.wdes.eu
issuer=C=US, O=Let's Encrypt, CN=E6
Hmm yes, but C=US, O=Internet Security Research Group, CN=ISRG Root X1
is missing. How can I add the CA to the chain?
I do not want to have to set the TSLA record for E6 as it could change between renewals
If you are using ACME you can't, the chain provided is exactly what Let's Encrypt issued. If you are specifying a certificate manually it has to be present in the file.
If you are using ACME you can't, the chain provided is exactly what Let's Encrypt issued. If you are specifying a certificate manually it has to be present in the file.
That's quite problematic. Can you check if you can request the CA cert to ACME ? I am pretty sure they send it, on acme.sh it is saved
For now I will have to add E5 and E6: https://letsencrypt.org/certificates/
I got it working, but having the CA is clearly was less complicated. Look at this mess 😄
found 2 secure addresses for "mx2.mails.wdes.eu" at "mx2.mails.wdes.eu.": [2a10:4646:c:56::1 2.57.253.83]
found 5 TLSA records for "_25._tcp.mx2.mails.wdes.eu."
2 0 1 065ab7d2a050f947587121765d8d070c0e1330d5798faa42c2072749ed293762
2 0 1 5dfdb3cf31b26f23d87c09f3a0cef642f64069a9fb7cfe29270bb5dc0f1e16bb
2 0 1 69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470 ; ISRG Root X2
2 0 1 76e9e288aafc0e37f4390cbf946aad997d5c1c901b3ce513d3d8fadbabe2ab85
2 0 1 e788d14b0436b5120bbee3f15c15badf08c1407fe72568a4f16f9151c380e1e3
[mx2.mails.wdes.eu 2.57.253.83] issuing STARTTLS [port 25]
[mx2.mails.wdes.eu 2.57.253.83] hostname "mx2.mails.wdes.eu" has 1 chains to TA; first length 2, is: ["mails.wdes.eu" "E6"]
[mx2.mails.wdes.eu 2.57.253.83] TLSA DANE-TA(2) match against chain position 2: 2 0 1 ...d3d8fadbabe2ab85
I had to put E5/E6 signed by X2 and E5/E6 signed by X1
I guess there is some smart code doing it: https://github.com/acmesh-official/acme.sh/blob/0d8a314bcf32c7705f0be11527d34d3b4ce0fa79/acme.sh#L5196
The bash code suggests that at download time there is 3 certs and it splits it into 3 files
What happened?
Ref: #397
How can we reproduce the problem?
As I can see on https://www.huque.com/bin/danecheck
mx1.mails.wdes.eu works fine (classic postfix/dovecot) but mx2.mails.wdes.eu does not. You can see in the transcript that stalwart does not send the full chain.
Version
v0.8.x
What database are you using?
None
What blob storage are you using?
None
Where is your directory located?
None
What operating system are you using?
None
Relevant log output
No response
Code of Conduct