ngocnha commented 1 year ago

Failed to send GET request: error sending request for url (https://mail.my-server.com:8686/report/list?): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

I am using the same certificate obtained from Let's Encrypt and the same domain for both the JMAP server and SMTP, but while JMAP works perfectly, SMTP fails.

mdecimus commented 1 year ago

There are two things you can check:

Compare the certificates returned by both servers using openssl:

openssl s_client -showcerts -connect mail.my-server.com:8686 </dev/null  # Replace with the SMTP URL
openssl s_client -showcerts -connect jmap.my-server.com:443 </dev/null   # Replace with the JMAP URL

Make sure that Stalwart SMTP is using the Let's Encrypt certificate. Open /usr/local/stalwart-smtp/etc/config.toml and look for the [certificate] section, it should look something like this:

[certificate."default"]
cert = "file:///usr/local/stalwart-smtp/etc/certs/tls.crt"
private-key = "file:///usr/local/stalwart-smtp/etc/private/tls.key"

Then verify that cert and private-key are actually pointing to the Let's Encrypt certificate.

ngocnha commented 1 year ago

After following your suggestions, I realized that the certificate and path were correct. However, the certificate file I am using is a certificate chain that contains multiple certificates, including my certificate and the issuer certificates. JMAP management was able to read and work with the entire chain, but SMTP management only read the first certificate in the chain and failed.

ngocnha commented 1 year ago

I manually trusted the Let's Encrypt issuer certificate on my system, but the result did not change.

https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html

Ok Result:

openssl s_client -showcerts -connect mail.my-server.com:8080 </dev/null

CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mail.my-server.com verify return:1

Certificate chain 0 s:CN = mail.my-server.com i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 16:50:26 2023 GMT; NotAfter: Apr 16 16:50:25 2023 GMT -----BEGIN CERTIFICATE----- MIIFJzCCBA+gAwIBAgISA12Hr5Z028LYQDjgH1Ja090BMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzAxMTYxNjUwMjZaFw0yMzA0MTYxNjUwMjVaMBwxGjAYBgNVBAM ...... ......

Bad Result

openssl s_client -showcerts -connect mail.my-server.com:8686 </dev/null

CONNECTED(00000003) depth=0 CN = mail.my-server.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = mail.my-server.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = mail.my-server.com verify return:1

Certificate chain 0 s:CN = mail.my-server.com i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 16:50:26 2023 GMT; NotAfter: Apr 16 16:50:25 2023 GMT -----BEGIN CERTIFICATE----- MIIFJzCCBA+gAwIBAgISA12Hr5Z028LYQDjgH1Ja090BMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzAxMTYxNjUwMjZaFw0yMzA0MTYxNjUwMjVaMBwxGjAYBgNVBAMT ...... ......

ngocnha commented 1 year ago

Fixed, this is latest result:

openssl s_client -showcerts -connect mail.my-server.com:8686 </dev/null CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mail.my-server.com verify return:1

Certificate chain 0 s:CN = mail.my-server.com i:C = US, O = Let's Encrypt, CN = R3 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 16 16:50:26 2023 GMT; NotAfter: Apr 16 16:50:25 2023 GMT -----BEGIN CERTIFICATE----- MIIFJzCCBA+gAwIBAgISA12Hr5Z028LYQDjgH1Ja090BMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzAxMTYxNjUwMjZaFw0yMzA0MTYxNjUwMjVaMBwxGjAYBgNVBAMT

mdecimus commented 1 year ago

Thanks again for the fix. I'll publish v0.1.1 shortly.

stalwartlabs / smtp-server

Only the first TLS certificate is used rather than the full chain #3

openssl s_client -showcerts -connect mail.my-server.com:8080 </dev/null

CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mail.my-server.com verify return:1

openssl s_client -showcerts -connect mail.my-server.com:8686 </dev/null

CONNECTED(00000003) depth=0 CN = mail.my-server.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = mail.my-server.com verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = mail.my-server.com verify return:1

openssl s_client -showcerts -connect mail.my-server.com:8686 </dev/null CONNECTED(00000003) depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = mail.my-server.com verify return:1