=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Moderator's note, Oct. 1st 2021: Ritlabs has addressed this issue in a statement that you can find .
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Moderator's note, Oct. 1st 2021: Ritlabs has addressed this issue in a statement that you can find .
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
I run a several mailservers with Let's Encrypt certificates (*). This afternoon, The Bat Version 9.4.4 (64-bit) began showing an error for the mailservers' certificates.
Error fr om an internal IMAP server:
| Quote |
|---|
| 30.09.2021, 20:02:46: IMAP - Connecting to IMAP server mail.int.example.org on port 993 30.09.2021, 20:02:46: IMAP - Initiating TLS handshake >30.09.2021, 20:02:46: IMAP - Certificate S/N: 03A5*****, algorithm: RSA (2048 bits), issued from 9/26/2021 3:51:34 AM to 12/25/2021 3:51:33 AM, for 2 host(s): mail.int.example.org, . >30.09.2021, 20:02:46: IMAP - Owner: "mail.int.example.org". >30.09.2021, 20:02:46: IMAP - Issuer: "US", "Let's Encrypt", "R3". Valid from 9/4/2020 to 9/15/2025 4:00:00 PM. >30.09.2021, 20:02:46: IMAP - Issuer: "US", "Internet Security Research Group", "ISRG Root X1". Valid from 1/20/2021 7:14:03 PM to 9/30/2024 6:14:03 PM. >30.09.2021, 20:02:46: IMAP - Root: "Digital Signature Trust Co.", "DST Root CA X3". Valid from 9/30/2000 9:12:19 PM to 9/30/2021 2:01:15 PM. This certificate has expired! !30.09.2021, 20:02:46: IMAP - TLS handshake failure. Invalid server certificate (This certificate has expired). |
Error from a public POP3 server:
| Quote |
|---|
| 30.09.2021, 21:00:08: FETCH - receiving mail messages 30.09.2021, 21:00:08: FETCH - Connecting to POP3 server mail.example.org on port 995 30.09.2021, 21:00:08: FETCH - Initiating TLS handshake >30.09.2021, 21:00:08: FETCH - Certificate S/N: 039D****, algorithm: RSA (2048 bits), issued from 7/19/2021 7:45:19 AM to 10/17/2021 7:45:17 AM, for 1 host(s): mail.example.org. >30.09.2021, 21:00:08: FETCH - Owner: "mail.example.org". >30.09.2021, 21:00:08: FETCH - Issuer: "US", "Let's Encrypt", "R3". Valid from 9/4/2020 to 9/15/2025 4:00:00 PM. >30.09.2021, 21:00:08: FETCH - Issuer: "US", "Internet Security Research Group", "ISRG Root X1". Valid from 1/20/2021 7:14:03 PM to 9/30/2024 6:14:03 PM. >30.09.2021, 21:00:08: FETCH - Root: "Digital Signature Trust Co.", "DST Root CA X3". Valid from 9/30/2000 9:12:19 PM to 9/30/2021 2:01:15 PM. This certificate has expired! !30.09.2021, 21:00:08: FETCH - TLS handshake failure. Invalid server certificate (This certificate has expired). |
Today, Let's Encrypt's cross-signed certificate DST Root CA X3 expired, which had been announced in advance, see:
Thunderbird clients on similar PCs connect to the internal IMAP server with no issues.
My operating system on the affected PC is: Windows 10 Home, Version 2004, Build 19041.1165
Since The Bat was able to connect to the mailserver without issues earlier this afternoon, I suspect the expired cross-signing certificate is the one causing the problem, as highlighted in the error message. According to Let's Encrypt's announcement, the Let's Encrypt Root certificate should still be considered valid, meaning that the entire certificate should be valid.
I can't tell wh ere the problem lies within the Certficate Chain, and would be grateful for pointers on how to fix the problem for my installation of The Bat.
(*) I have HTTP hosts set up with the same hostnames as the internal and public mailservers; these HTTP hosts retrieve and update their Let's Encrypt certificates through the normal renewal procedure. A bunch of custom shell scripts then copy the certificates into the postfix and dovecot config directories and restart the mailserver programs after every certificate update.
