This is mostly just to remind myself what to do the next time this problem happens, but it might be useful for somebody else. If you normally read this blog for our travel adventures, you probably want to stop right now…

The Synology NAS is configured to send emails for various reasons (e.g. sending a summary of spam detected by gmail). It wasn’t doing that.

Further investigation (by ssh’ing into the NAS and running nail from the command line) gave errors that looked like this:

Error with certificate at depth: 2
 issuer = /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 subject = /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 err 19: self signed certificate in certificate chain
could not initiate SSL/TLS connection: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

At this stage, I wasn’t quite sure what it was complaining about, so I used openssl to get a little more information:

openssl s_client -starttls smtp -crlf -connect auth.smtp.1and1.co.uk:587

Certificate chain
 0 s:/C=GB/ST=Berkshire/L=Slough/O=1&1 Internet Ltd./CN=auth.smtp.1and1.co.uk
   i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

For reasons that I’ve forgotten, nail was configured to use the Thawte Premium Server CA PEM, not Thawte Primary Root CA, and I guess the mail server’s certificate (or chain) has been changed recently. I already had the Thawte Primary Root CA PEM, so I just changed nail’s configuration to point to that, and everything was back to normal.

Here’s the important bit that I want to remember: if it happens again, I think those two PEMs can be concatenated into one file to cover either eventuality.