Root certificate in `/etc/ssl/certs` not found

Previous Topic Next Topic
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Root certificate in `/etc/ssl/certs` not found

Paul Menzel
Dear Postfix users,

First I am sorry, for probably bringing up a topic, which has probably
discussed to end on this list, like [1], and in the end was probably a
user error. I’ll try to provide the information requested in [1]. Thank
you for your patience and help in advance.

The goal is to set up secure server certificate verification [2] for
messages sent to the domain [3]. But doing that, the test
message was deferred as the certificate couldn’t be verified.

Debian 9 (Stretch/stable) with the package `postfix` has the version

$ sudo postconf mail_version
mail_version = 3.1.4
$ sudo postconf smtp_tls_CAfile
smtp_tls_CAfile =
$ sudo postconf smtp_tls_CAfilesmtp_tls_CApath
postconf: warning: smtp_tls_CAfilesmtp_tls_CApath: unknown parameter
$ sudo postconf smtp_tls_CApath
smtp_tls_CApath = /etc/ssl/certs/

Verify with `posttls-finger`.

$ sudo posttls-finger -t30 -T180 -c -L verbose,summary
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to[]:25
posttls-finger:[]:25: TLS
depth=2 verify=0 subject=/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
Global - G01
depth=1 verify=1
subject=/C=DE/O=DFN-Verein/OU=Geschaeftsstelle/CN=DFN-Verein-GS-CA - G02
depth=0 verify=1
posttls-finger: certificate verification failed for[]:25: untrusted issuer
/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche
Telekom Root CA 2
posttls-finger:[]:25:, issuer_CN=DFN-Verein-GS-CA -
posttls-finger: Untrusted TLS connection established to[]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

So judging from “untrusted issuer”, I assume the root certificate is
missing. Use `openssl`.

$ echo "" | openssl s_client -connect
-starttls smtp -showcerts
depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN
= Deutsche Telekom Root CA 2
verify return:1
depth=2 C = DE, O = DFN-Verein, OU = DFN-PKI, CN = DFN-Verein PCA Global
- G01
verify return:1
depth=1 C = DE, O = DFN-Verein, OU = Geschaeftsstelle, CN =
DFN-Verein-GS-CA - G02
verify return:1
depth=0 C = DE, ST = Berlin, L = Berlin, O = DFN-Verein, OU =
Geschaeftsstelle, CN =
verify return:1[…]
     Verify return code: 0 (ok)

Save the certificate *C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
Global - G01* in `issuer.pem` (attached), and verify it.

$ openssl verify -CApath /etc/ssl/certs -purpose crlsign issuer.pem
issuer.pem: OK

The server certificate also contains the correct name, right?


So it’s not a problem with matching the server certificate peername [4],
is it?

Kind regards,


     "TLS Encryption and Verification issue"

issuer.pem (2K) Download Attachment
Reply | Threaded
Open this post in threaded view

Re: Root certificate in `/etc/ssl/certs` not found

Viktor Dukhovni
On Thu, Jul 06, 2017 at 08:27:35PM +0200, Paul Menzel wrote:

> $ sudo posttls-finger -t30 -T180 -c -L verbose,summary

There's no need to run posttls-finger as root.  And "verbose"
is just distracting.

> posttls-finger: setting up TLS connection to[]:25
> posttls-finger: Untrusted TLS connection established to[]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

This is not surprising, since by default Postfix trusts no CAs,
also recent versions of posttls-finger do "dane" verification by

On my system the system certificate bundle is in /etc/ssl/cert.pem,
and so the correct test is:

        $ posttls-finger -c -l secure -F /etc/ssl/cert.pem
        posttls-finger:[]:25: Matched subjectAltName:
        posttls-finger:[]:25 CommonName
        issuer_CN=DFN-Verein-GS-CA - G02, fingerprint=6D:C1:73:0B:7F:E4:CD:A5:54:CF:D8:79:7E:17:37:27:81:EF:9A:BE, pkey_fingerprint=E1:7E:4F:88:AD:09:50:54:5C:19:49:47:62:C6:64:33:A0:D7:48:35
        posttls-finger: Verified TLS connection established to[]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)


    1. "-l secure" selects the desired security level.

    2. "-F /etc/ssl/cert.pem" selects the correct trusted certificate bundle.
       This corresponds to smtp_tls_CAfile.  You can use "-P /some/path" to
       select a directory of trusted certs hashed in the usual way with
       c_rehash.  This corresponds to smtp_tls_CApath.

    3. The domain's MX hosts have certificates with the MX host DNS names,
       but do not contain the nexthop domain.   Since the MX hosts are
       typically obtained via insecure DNS lookups, they cannot be trusted.
       See TLS_README for details.  Therefore "secure" verification of this
       domain requires a non-default name matching strategy.  In this case
       "" is a parent domain of all the MX hosts.

Thus your TLS policy entry for this domain would be:

    # Perhaps some day the MX host certs will have names, so
    # include nexthop and dot-nexthop in addition to the current MX
    # provider domain.
    # secure

Encourage the counter-party to deploy DANE, SMTP TLS security scales
much better with DANE (does not require per-destination manual
configuration like the above).