On 4/18/24 07:17, Michael D. Setzer II wrote:
Apr 18 14:58:11 setzconote.dyndns.org stunnel[15619]: LOG4[3]: CERT: Pre-verification error: unable to get local issuer> Apr 18 14:58:11 setzconote.dyndns.org stunnel[15619]: LOG4[3]: Rejected by CERT at depth=0: CN=*.guam.net
It seems to be a coincidence that doesn't seem to have anything to do with the kernel version. smtp1.guam.net have broken their deployment by only installing the end-entity (leaf) certificate, without the required intermediate certificate. It's a common mistake.
If you cannot make smtp1.guam.netadministrators fix their email server configuration, you can manually specify the intermediate certificate in your CAfile.pem. The enclosed file includes both the intermediate certificate and the root certificate, so that you can replace "CApath = /etc/ssl/certs" with "CAfile = /etc/stunnel/g2.pem".
Best regards, Mike
On 18 Apr 2024 at 15:52, Michał Trojnara via stunnel wrote:
Date sent: Thu, 18 Apr 2024 15:52:50 +0200 To: stunnel-users@stunnel.org Subject: [stunnel-users] Re: Having strange issue with newer kernels? 6.8. patches" <stunnel-users.stunnel.org> From: Michał Trojnara via stunnel-users stunnel-users@stunnel.org Send reply to: Michał Trojnara Michal.Trojnara@stunnel.org
On 4/18/24 07:17, Michael D. Setzer II wrote: Apr 18 14:58:11 setzconote.dyndns.org stunnel[15619]: LOG4[3]: CERT: Pre-verification error: unable to get local issuer> Apr 18 14:58:11 setzconote.dyndns.org stunnel[15619]: LOG4[3]: Rejected by CERT at depth=0: CN=*.guam.net It seems to be a coincidence that doesn't seem to have anything to do with the kernel version. smtp1.guam.net have broken their deployment by only installing the end-entity (leaf) certificate, without the required intermediate certificate. It's a common mistake. If you cannot make smtp1.guam.net administrators fix their email server configuration, you can manually specify the intermediate certificate in your CAfile.pem. The enclosed file includes both the intermediate certificate and the root certificate, so that you can replace "CApath = /etc/ssl/certs" with "CAfile = /etc/stunnel/g2.pem". Best regards, Mike
Thanks for the file. Question: Made the change, and it worked from sending mail, but then noticed I had not gotten an incoming emails from mail.guam.net, but no error showed. Went to the web access, and it showed I had 81 emails. Then made a similar change to the stunnel.conf and was able to then download the 81 messages with no issue? Machines are different, but g2.pem seems to work?
[guampop] client=yes accept = 127.0.0.1:20996 connect = mail.guam.net:995 debug = 7 verifyChain = yes CApath = /etc/ssl/certs CAfile = /etc/stunnel/g2.pem checkHost = mail.guam.net OCSPaia = yes
[guamsmtp] client=yes accept = 127.0.0.1:20466 connect = smtp1.guam.net:465 debug = 7 verifyChain = yes CApath = /etc/ssl/certs CAfile = /etc/stunnel/g2.pem checkHost = smtp1.guam.net OCSPaia = yes
So, seems to work.
Thanks +------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mikes@guam.net mailto:msetzerii@gmail.com mailto:msetzerii@gmx.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+
-
Michael D. Setzer II -
Michael D. Setzer II -
Michał Trojnara