Mailing List Archive

exim report: (gnutls_handshake): Certificate is bad
Hi, all.
When I use exim to establish a tls link, it reports ??(gnutls_handshake): Certificate is bad??.
I build exim with gnutls. I try to use gnutils-cli to test, But it report:


root@de63cea81688:/# gnutls-cli 127.0.0.1:25 --starttls-proto=smtp
Processed 1 CA certificate(s).
Resolving '127.0.0.1:25'...
Connecting to '127.0.0.1:25'...
- Successfully sent 0 certificate(s) to server.
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=tomtoworld.xyz', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04b49a719570ad2f42d20e62c66bfd16a24c, RSA key 2048 bits, signed using RSA-SHA256, activated `2022-08-10 08:33:16 UTC', expires `2022-11-08 08:33:15 UTC', pin-sha256="x4Q0dnlkpeUGL4Qy8HgV3LRzV8PBaEdYdmXXQHd8To0="
Public Key ID:
sha1:2f83ec63fe1f7e56f7f6a1934e0f07011eb31079
sha256:c78434767964a5e5062f8432f07815dcb47357c3c16847587665d740777c4e8d
Public Key PIN:
pin-sha256:x4Q0dnlkpeUGL4Qy8HgV3LRzV8PBaEdYdmXXQHd8To0=


- Certificate[1] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
- Certificate[2] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
regards
--------
Tom



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: exim report: (gnutls_handshake): Certificate is bad [ In reply to ]
Hi,

D?a 10. augusta 2022 9:58:12 UTC používate? "?? via Exim-users" <exim-users@exim.org> napísal:

>- Status: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
>*** PKI verification of server certificate failed...
>*** Fatal error: Error in the certificate.

You have all required info in these lines. You must use (or provide)
host name, which match the certificate's SAN or CN. In your case,
the name from certificate is compared against 127.0.0.1.

One usually do not want TLS on localhost, as it is pointless... If you
need it, ensure that your public (from certificate) name points to
localhost in DNS and use it (beware, exim by default doesn't use
/etc/hosts) instead of IP.

If you want to bypass hostname check or customize TLS checks,
there are multiple options in both, exim and gnutls-cli (see manual).

regards

Slavko

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/