ERROR => TLS setup failed: SSL connect attempt failed error:0A000086:SSL routines::certificate verify failed #14
Description
Not sure if someone actually reads this:
I used sendEmail for a couple of years and wanted to "resurrect" ist. However, I come across an SSL verification issue which I cannot explain:
ERROR => TLS setup failed: SSL connect attempt failed error:0A000086:SSL routines::certificate verify failed
Full output:
Oct 03 09:17:22 carla sendemail[2543]: DEBUG => Connecting to mail.server.de:587
Oct 03 09:17:22 carla sendemail[2543]: DEBUG => My IP address is: 2a04:6ec0:227:4200:7285:c2ff:fe71:76e5
Oct 03 09:17:22 carla sendemail[2543]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Oct 03 09:17:22 carla sendemail[2543]: SUCCESS => Received: 220 srv.server.de ESMTP Postfix
Oct 03 09:17:22 carla sendemail[2543]: INFO => Sending: EHLO carla.fritz.box
Oct 03 09:17:22 carla sendemail[2543]: DEBUG => evalSMTPresponse() - Found SMTP success code: 250
Oct 03 09:17:22 carla sendemail[2543]: SUCCESS => Received: 250-srv.server.de, 250-PIPELINING, 250-SIZE 71680000, 250-ETRN, 250-STARTTLS, 250-ENHANCEDSTATUSCODES, 250-8BITMIME, 250-DSN, 250 CHUNKING
Oct 03 09:17:22 carla sendemail[2543]: DEBUG => The remote SMTP server supports TLS :)
Oct 03 09:17:22 carla sendemail[2543]: DEBUG => Starting TLS
Oct 03 09:17:22 carla sendemail[2543]: INFO => Sending: STARTTLS
Oct 03 09:17:22 carla sendemail[2543]: DEBUG => evalSMTPresponse() - Found SMTP success code: 220
Oct 03 09:17:22 carla sendemail[2543]: SUCCESS => Received: 220 2.0.0 Ready to start TLS
Oct 03 09:17:22 carla sendemail[2543]: ERROR => TLS setup failed: SSL connect attempt failed error:0A000086:SSL routines::certificate verify failed
This email server is a productive system and generally works fine everywhere else. Also OpenSSL output is fine:
openssl s_client -starttls smtp -crlf -connect mail.server.de:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = server.de
verify return:1
---
Certificate chain
0 s:CN = server.de
i:C = US, O = Let's Encrypt, CN = R11
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 2 02:56:40 2024 GMT; NotAfter: Dec 1 02:56:39 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R11
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCTCCA/GgAwIBAgISBCfM3+lk02Gjt3dSaV1OFhlrMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTEwHhcNMjQwOTAyMDI1NjQwWhcNMjQxMjAxMDI1NjM5WjAdMRswGQYDVQQD
ExJjaHJpc3RvcGgtZXZlcnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCuLUwTriRlcoQASO66nFIkgDeYWCX5NyrA/5hRfUJWqwPgxzM0yKj4TMrZ
d1Fm2toXvb85uyyePzW/aZRvjr85ZDkxH5LLakzmEOKNJTmtsddQQwYIgOjC1tqd
Mm2MbATAzbRYsHNFw+mKc90retGPHJiNCHXG4N0Xr9FaYLoQYa2wkqFf99E0f7qX
SqXyIa9fu3NN66NUvVvJ+0IDRJ9YbS9A0A5EarsEKHieOKp30LApESYC/YvxUo2U
MQK7P94e/igd+RqPjAZ/X2DpmMfY2GaBpX6Xz7mttvREOI9nGmiiVBrurycdkH/x
SbKpmspu6uwLRQoudcA4dCcifEcBAgMBAAGjggIrMIICJzAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFBefNst+kY8Y3zBp2OozFTMvyrrdMB8GA1UdIwQYMBaAFMXPRqTq
9MPAemyVxC2wXpIvJuO5MFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0
cDovL3IxMS5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMS5pLmxl
bmNyLm9yZy8wMwYDVR0RBCwwKoIUKi5jaHJpc3RvcGgtZXZlcnMuZGWCEmNocmlz
dG9waC1ldmVycy5kZTATBgNVHSAEDDAKMAgGBmeBDAECATCCAQMGCisGAQQB1nkC
BAIEgfQEgfEA7wB1AN/hVuuqBa+1nA+GcY2owDJOrlbZbqf1pWoB0cE7vlJcAAAB
kbDfUrUAAAQDAEYwRAIgMA2dyduyNFHAQZlMv+WInleUChT1IlH+h7tXCTU1aJ0C
IHs9hwxwD85v/3AJ/+eSOQU2XfOeN4SL2IWpn4/heoGBAHYASLDja9qmRzQP5WoC
+p0w6xxSActW3SyB2bu/qznYhHMAAAGRsN9R+wAABAMARzBFAiBFu2RqsMUz0jKh
NtQHWIiUVcnf9TeFrwPF79sSml6ptgIhAPNkiS1JpWQcZfg2YqK+zBwtobcv+AZC
XqNdJNDQZv1BMA0GCSqGSIb3DQEBCwUAA4IBAQBS3T7BbqbgKNayjBUT+DPc3iRL
UZQ8tUJzo5Tdl/ZrUlVqKFcG+BTvHm/82yZ7fML4sTM1/XMj0RaJ51yOyOekatMx
Lcjsodm7QsK4VNQlcf3KGQhDap5L0WG+NgYAvrvCfshvR8mMJV3OMbWgdlWqhRbg
IveVdkgcMtfAOSFxOyUOi4emTsxcJ0X9cP/AH4UZQMF0aYpY0hfaL7mi5Aait85j
FCb4yISIV6qsn0DD78dtB8zCiaXAMa6sEfScVtQxuy6TbJEp7iGUjufGuT0YG+Lw
mgo4UkWyElczBmXTiQ9yPKP6CFBtkBcALeVZyix8asx6AHQhj32vCPgvlPKL
-----END CERTIFICATE-----
subject=CN = server.de
issuer=C = US, O = Let's Encrypt, CN = R11
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3369 bytes and written 438 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 094E43DC19B055D4647FE641C7B4AE8F072F0434774B5288CDD1062E8BDD7863
Session-ID-ctx:
Resumption PSK: FA76F06C894FB9158805CEDA425F6087DD50C051E07DDFCB4F7678AC16DCE567DD9E5700922EEDB14805DCF3BC40B713
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 84 2d dd de 47 6a 73 c7-ee 3b 30 36 14 09 c5 8e .-..Gjs..;06....
0010 - cf 2d c6 47 40 b9 fa 4b-c6 8c 39 0e 08 12 34 4d .-.G@..K..9...4M
0020 - b4 d7 65 8c 8a 93 df c6-91 0e b6 9f 98 98 04 02 ..e.............
0030 - 08 fb 45 8e 86 c4 d6 6a-93 6e 04 e8 ff 04 b8 4f ..E....j.n.....O
0040 - ab 8f 68 19 b9 ae ad 13-6d 1f fa ea 23 ee 96 16 ..h.....m...#...
0050 - 1e 3d 05 77 25 d3 07 63-e2 1a ae 15 3c 0f 27 22 .=.w%..c....<.'"
0060 - 41 01 6e da 0a 2a 28 e6-ed 92 37 60 bd 88 b5 f3 A.n..*(...7`....
0070 - 78 37 5c da c5 5e cf 5a-06 c3 5d 04 f0 73 e1 d6 x7\..^.Z..]..s..
0080 - 0c 4b 23 9b 7e 97 f4 d5-00 93 d7 fd a8 ca 15 5c .K#.~..........\
0090 - f0 3f a0 a8 57 aa 6b 0c-22 4b a1 5c c6 99 0a 7e .?..W.k."K.\...~
00a0 - 47 4a 8e 19 27 03 54 1c-6a 20 1d 3e b5 13 bf 31 GJ..'.T.j .>...1
00b0 - f4 e5 d1 cd 83 77 f6 f0-8b f1 4e 84 20 3d 34 d3 .....w....N. =4.
00c0 - a4 a4 86 4c 5c 9f 05 0b-42 9d 00 8c 19 ea 12 c5 ...L\...B.......
00d0 - ab 12 8c 54 c3 55 46 fd-f7 0b 7b 7b 0e 90 01 a6 ...T.UF...{{....
00e0 - 68 d4 17 ed 77 0e b9 ad-f2 e5 b9 1e 79 82 8a ec h...w.......y...
Start Time: 1727940430
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
So what is the difference between what perl ssl is doing here compared the native openssl part?
For privacy reason I replaced the real domain with "server".
Many thanks!