noisebridge/infrastructure

noisebridge.net / lists.noisebridge.net SMTP TLS certificate appears to be out of date

Closed this issue · 3 comments

rizend commented

According to openssl, the current certificate being presented by m3.noisebridge.net:25 when TLS is initiated via STARTTLS is not valid after Jun 10 03:10:08 2019 GMT. More details in the log output below

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = noisebridge.net
verify error:num=10:certificate has expired
notAfter=Jun 10 03:10:08 2019 GMT
verify return:1
depth=0 CN = noisebridge.net
notAfter=Jun 10 03:10:08 2019 GMT
verify return:1
---
Certificate chain
 0 s:CN = noisebridge.net
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgISA1Al3oNYv+mXOMLnsI6LgPUTMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMTIwMzEwMDhaFw0x
OTA2MTAwMzEwMDhaMBoxGDAWBgNVBAMTD25vaXNlYnJpZGdlLm5ldDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANXJQj3y8saqrdKXEc6ofdVau5n1Ro4E
iF3sM/2sRTOehsTFltXECwbPzOpwZudgdR7cBMivNzN1x08mlNsoKrDejXJYWh4D
rcvPRDE3XQI1Apxpn2j/Q+BQi+yjQ9OBcednCbd5IFLHfEdl5qNOdtmxpPxJKZwm
4Mzp8DUhC8i+mr5nTXeg82fSPqZs6Wh/scO5/W74xqS2nJpw2LihOHHLwmZWK98u
67+Ze7Ymc4pijeQ8gaZITOgDIGDvNz6hs1miA7sdbA+QJOCYtti71cPuqmqXwEyd
DCPzD69LGDG0IZbkh7DtmJzH3ofGCaK5n2B8X+foZumqSSockhVymYkCAwEAAaOC
AmUwggJhMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUCBB+GdT0ibfNpBoI88oAaXKh
He4wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAaBgNVHREEEzARgg9ub2lzZWJyaWRnZS5uZXQwTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgDiaUuuJujp
QAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWlwF+jYAAAEAwBHMEUCIQCYIh3f
cgnFju9xHAJtCkUJop9NNxKN1w8X9+jidfb5VQIgfGq1cwHsN26grpd9UkBnjqxM
Dxtx9lDslatgpEnUqUcAdwBj8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvY
jQAAAWlwF+jYAAAEAwBIMEYCIQC7CNA35SnGNLDxhrKlLmQjdfLOe+2l98fUqpwp
exW0dQIhAONTdZFzghReU4GawClUyVB4fjy7W6Vu+Dnm1dpBQWXTMA0GCSqGSIb3
DQEBCwUAA4IBAQBI6Lr2tzZU+krYf8qyt1CZWADVWB03QO5tr0+nCNFBOHFkeA0Z
WsodFf1ijqXtETq/h1VTWpWQj1iNNsnjs3mPhnI3ObEKn8ONnWpaxCfROTcV156G
1TbfZo2rQi4SvYzqN2cZYRbQHY6IQsF3uJCURq4g9aeY1HLd+UVJa96hbUh/XjCl
aIHa0RR7HgNBuXKI43V4TUhrUEmPovY8SW2xdUi0uTzy/EolNrbcbzJyTB/4H28c
nAJqF6GMJDr2BTSmT6sSso29Bq6IwLCISn8W8Z7CUAaksEwf4Lthw0sHobjT7l9Q
+g7MWTMUP7gr9eyfodwfiTD1eYrp3Uo53Faz
-----END CERTIFICATE-----
subject=CN = noisebridge.net

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3439 bytes and written 452 bytes
Verification error: certificate has expired
SuperQ commented

Good catch, I forgot how this is handled, might be something broken in the letsencrypt Cron.

rizend commented

I only noticed because I was testing my own mail server and had the same issue. For me, even when I got an up to date certificate file in the right place for my mail server, it wasn't detecting the new certificate so I had to add a couple lines in my cron job to restart the mail server everytime the certificate was updated.

SuperQ commented

I filed #254 to add monitoring for this.