RSS

nail (mailx) certificates

24 Mar

This is mostly just to remind myself what to do the next time this problem happens, but it might be useful for somebody else. If you normally read this blog for our travel adventures, you probably want to stop right now…

The Synology NAS is configured to send emails for various reasons (e.g. sending a summary of spam detected by gmail). It wasn’t doing that.

Further investigation (by ssh’ing into the NAS and running nail from the command line) gave errors that looked like this:

Error with certificate at depth: 2
 issuer = /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 subject = /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 err 19: self signed certificate in certificate chain
could not initiate SSL/TLS connection: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

At this stage, I wasn’t quite sure what it was complaining about, so I used openssl to get a little more information:

openssl s_client -starttls smtp -crlf -connect auth.smtp.1and1.co.uk:587
Certificate chain
 0 s:/C=GB/ST=Berkshire/L=Slough/O=1&1 Internet Ltd./CN=auth.smtp.1and1.co.uk
   i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA

For reasons that I’ve forgotten, nail was configured to use the Thawte Premium Server CA PEM, not Thawte Primary Root CA, and I guess the mail server’s certificate (or chain) has been changed recently. I already had the Thawte Primary Root CA PEM, so I just changed nail’s configuration to point to that, and everything was back to normal.

Here’s the important bit that I want to remember: if it happens again, I think those two PEMs can be concatenated into one file to cover either eventuality.

Advertisements
 
Leave a comment

Posted by on Tuesday 24 March 2015 in Geeky stuff

 

Tags: , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: