Hello,
depuis 2/3 jours, ma config d'envois de mail via SMTP Orange (smtp.orange.fr:587) avec STARTTLS ne fonctionne plus, pb de certificat:
unable to verify the first certificate
J'ai testé avec openssl directement du coup, voici la sortie:
openssl s_client -starttls smtp -connect smtp.orange.fr:587
CONNECTED(00000003)
depth=0 C = FR, ST = ILE DE FRANCE, L = ISSY LES MOULINEAUX, O = Orange SA, CN = smtp.premium.orange.fr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = FR, ST = ILE DE FRANCE, L = ISSY LES MOULINEAUX, O = Orange SA, CN = smtp.premium.orange.fr
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C = FR, ST = ILE DE FRANCE, L = ISSY LES MOULINEAUX, O = Orange SA, CN = smtp.premium.orange.fr
verify return:1
---
Certificate chain
0 s:C = FR, ST = ILE DE FRANCE, L = ISSY LES MOULINEAUX, O = Orange SA, CN = smtp.premium.orange.fr
i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHgjCCBmqgAwIBAgIQBACZlhmGuek9bvE7ca8DszANBgkqhkiG9w0BAQsFADBZ
........
A0doeykb
-----END CERTIFICATE-----
subject=C = FR, ST = ILE DE FRANCE, L = ISSY LES MOULINEAUX, O = Orange SA, CN = smtp.premium.orange.fr
issuer=C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2872 bytes and written 465 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 56D7BAFE7683A3AC26067F0C12DB3BA75DF55943FF2C0A0B5CDAF5C34C67A258
Session-ID-ctx:
Master-Key: 35867A633C6296DA6C5E39FD038EBC980FF8C8D0D2618F37A1DC084AFC0479CEEA03F0BC96F13691AD31C77A4480ADCA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 3a d7 72 e0 54 a4 5a 7f-e7 78 83 6a 17 38 21 92 :.r.T.Z..x.j.8!.
0010 - 4f 3d 2a 1d 0e 55 ab e6-55 73 2c 9d 50 85 bf 21 O=*..U..Us,.P..!
0020 - 05 d3 d2 3a 55 c8 55 da-54 6e e9 1a 1f bd b5 95 ...:U.U.Tn......
0030 - 0c 3a 56 a0 90 12 2d f1-da 89 fd 41 5c b8 6b 9c .:V...-....A\.k.
0040 - 60 a4 a3 87 86 b6 62 aa-3a 82 d4 1f 06 ad 5e fa `.....b.:.....^.
0050 - e1 3e 7e 3e fc 56 fd f4-08 79 24 20 c9 fa a3 22 .>~>.V...y$ ..."
0060 - 28 c0 17 d4 76 47 55 f7-9c 11 05 61 6d c3 4d 20 (...vGU....am.M
0070 - 67 bf f2 6c cc 33 2d 01-77 42 ac 91 25 d0 48 fb g..l.3-.wB..%.H.
0080 - ed 63 8f db 4f fd 60 fa-57 d2 4f f2 ad 15 a3 be .c..O.`.W.O.....
0090 - df 37 4c a9 df ea cd e5-64 9d 38 c2 b5 63 aa 56 .7L.....d.8..c.V
00a0 - 6b c6 95 06 23 cf 81 c6-16 cb fd b7 27 f5 81 b2 k...#.......'...
Start Time: 1683192629
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
250 OK
Je ne suis pas spécialement à l'aise avec les certificat mais c'est un pb coté Orange sur la chaine du certificat qui n'est pas complète ? (manque certificat intermédiaire dans la chaine ?)