Bootstrap FreeKB - Postfix (Email) - Resolve "Peer's certificate issuer has been marked as not trusted"
Postfix (Email) - Resolve "Peer's certificate issuer has been marked as not trusted"
Updated:   |  Postfix (Email) articles

Let's say the following is being return when attempting to send an email using mailx and a Postfix/Dovecot email server is being used.

Error in certificate: Peer's certificate issuer has been marked as not trusted by the.
host certificate does not match "stmp.example.com"

 

Let's use the certutil command with the -L (list) an -d (directory) options to list the certificates in your nssdb (Network Security Services Database). In this example, the nssdb is empty (contains no certificates).

~]# certutil -L -d /etc/pki/nssdb

Certificate Nickname                        Trust Attributes
                                            SSL,S/MIME,JAR/XPI

 

Use openssl s_client to show the certificates and save each certificate to a file (e.g. root.pem, intermediate.pem, server.pem).

~]# openssl s_client -showcerts -starttls smtp -connect mail.example.com:587
-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgIJAOI7ipAyqjtQMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCV0kxETAPBgNVBAcMCEFwcGxldG9uMQ8wDQYDVQQK
DAZGcmVlS0IxDzANBgNVBAsMBkZyZWVLQjEPMA0GA1UEAwwGRnJlZUtCMSEwHwYJ
KoZIhvcNAQkBFhJzdXBwb3J0QGZyZWVrYi5uZXQwHhcNMTgwNzE5MDEzMDI.....
-----END CERTIFICATE-----

 

The certutil command with the -A (append), -n (name) -t (type) -d (directory) and -i (file) options can be used to append certificates to the nssdb (Network Security Services Database).

~]# certutil -A -n "mail.example.com root CA" -t "TC,," -d /etc/pki/nssdb -i root.pem
~]# certutil -A -n "mail.example.com intermediate CA" -t "TC,," -d /etc/pki/nssdb -i intermediate.pem
~]# certutil -A -n "mail.example.com" -t "TC,," -d /etc/pki/nssdb -i server.pem

 

Let's check the nssdb again. Notice there are entries for the root, intermediate and server certificates.

~]# certutil -L -d /etc/pki/nssdb

Certificate Nickname                        Trust Attributes
                                            SSL,S/MIME,JAR/XPI

mail.example.com root CA                    CT,,
mail.example.com intermediate CA            CT,,
mail.example.com                            CT,,

 

If you want, you can ensure each certificate is valid.

~]# certutil -V -n "mail.example.com" -d /etc/pki/nssdb -u A
certutil: certificate is valid

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 360152 in the box below so that we can be sure you are a human.