View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Sendmail when sending via browser says unable to get local issuer certificate
Log in to Ask a Question

Sendmail when sending via browser says unable to get local issuer certificate

I am using Sendmail along with letsencrypt. I have set up sendmail certificates as per https://evermeet.cx/wiki/Let%27s_Encrypt_with_Apache,_dovecot,_and_sendmail . I am still getting the error message when sending to gmail as "unable to get local issuer certificate".

I have set up the DKIM, SPF records correctly. Still mails are not getting sent. Any help would be greatly appreciated.

Please find the custom changes in sendmail.mc below:
dnl # Default Mailer setup
define(CERT_DIR',/etc/letsencrypt/live/migrate.bmtplus.com')dnl
define(confCACERT_PATH',CERT_DIR')dnl
define(confCACERT',CERT_DIR/fullchain.pem')dnl
define(confSERVER_CERT',CERT_DIR/cert.pem')dnl
define(confSERVER_KEY',CERT_DIR/privkey.pem')dnl
define(confCLIENT_CERT',CERT_DIR/cert.pem')dnl
define(confCLIENT_KEY',CERT_DIR/privkey.pem')dnl
define(confCRL',/usr/share/ssl-cert/revoke.crl')dnl
define(confDONT_BLAME_SENDMAIL',groupreadablekeyfile')dnl
INPUT_MAIL_FILTER(opendkim',S=inet:8891@127.0.0.1')dnl
MAILER_DEFINITIONS
MAILER(local')dnl MAILER(smtp')dnl

Please find the debug data when sending mail from the web application below:

Sep 27 13:27:01 bmtplus cron[660]: (systemsendmail) RELOAD (/etc/cron.d/sendmail)
Sep 27 13:27:01 bmtplus CRON[6779]: (jagriti) CMD (/home/jagriti/scripts/git_pull_sites.sh)

Sep 27 13:27:02 bmtplus sendmail[6785]: x8RDR2XG006785: Authentication-Warning: bmtplus.com: www-data set sender to updates@bmtplus.com using -f
Sep 27 13:27:02 bmtplus sendmail[6785]: x8RDR2XG006785: from=updates@bmtplus.com, size=326, class=0, nrcpts=1, msgid=201909271327.x8RDR2XG006785@bmtplus.com, relay=www-data@localhost
Sep 27 13:27:02 bmtplus sm-mta[6786]: NOQUEUE: connect from localhost [127.0.0.1]
Sep 27 13:27:02 bmtplus sm-mta[6786]: AUTH: available mech=DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
Sep 27 13:27:02 bmtplus sm-mta[6786]: x8RDR2RB006786: Milter (opendkim): init success to negotiate
Sep 27 13:27:02 bmtplus sm-mta[6786]: x8RDR2RB006786: Milter: connect to filters
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: milter=opendkim, action=connect, continue
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 220 bmtplus.com ESMTP Sendmail 8.15.2/8.15.2/Debian-10; Fri, 27 Sep 2019 18:57:02 +0530; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: <-- EHLO bmtplus.com
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-bmtplus.com Hello localhost [127.0.0.1], pleased to meet you
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-ENHANCEDSTATUSCODES
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-PIPELINING
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-EXPN
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-VERB
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-8BITMIME
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-SIZE
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-DSN
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-ETRN
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-AUTH DIGEST-MD5 CRAM-MD5
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-STARTTLS
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250-DELIVERBY
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 250 HELP
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: <-- STARTTLS
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: --- 220 2.0.0 Ready to start TLS
Sep 27 13:27:03 bmtplus sm-mta[6786]: STARTTLS: x509 cert verify: depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, state=0, reason=unable to get issuer certificate
Sep 27 13:27:03 bmtplus sendmail[6785]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 27 13:27:03 bmtplus sm-mta[6786]: STARTTLS=server, get_verify: 0 get_peer: 0x0
Sep 27 13:27:03 bmtplus sm-mta[6786]: STARTTLS=server, relay=localhost [127.0.0.1], version=TLSv1.3, verify=NO, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 27 13:27:03 bmtplus sm-mta[6786]: STARTTLS=server, cert-subject=, cert-issuer=, verifymsg=ok
Sep 27 13:27:03 bmtplus sm-mta[6786]: AUTH: available mech=DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN ANONYMOUS, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RB006786: <-- EHLO bmtplus.com
Sep 27 13:27:03 bmtplus sm-mta[6786]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-bmtplus.com Hello localhost [127.0.0.1], pleased to meet you
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-ENHANCEDSTATUSCODES
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-PIPELINING
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-EXPN
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-VERB
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-8BITMIME
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-SIZE
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-DSN
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-ETRN
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-AUTH DIGEST-MD5 CRAM-MD5
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250-DELIVERBY
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250 HELP
Sep 27 13:27:03 bmtplus sm-mta[6786]: STARTTLS=read, info: fds=8/4, err=2
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: <-- MAIL From:updates@bmtplus.com SIZE=326
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: Milter: sender: updates@bmtplus.com
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: milter=opendkim, action=mail, continue
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250 2.1.0 updates@bmtplus.com… Sender ok
Sep 27 13:27:03 bmtplus sm-mta[6786]: STARTTLS=read, info: fds=8/4, err=2
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: <-- RCPT To:amitsedai@jagriti.co.in
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: Milter: rcpts: amitsedai@jagriti.co.in
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: milter=opendkim, action=rcpt, continue
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250 2.1.5 amitsedai@jagriti.co.in… Recipient ok
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: <-- DATA
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 354 Enter mail, end with "." on a line by itself
Sep 27 13:27:03 bmtplus sm-mta[6786]: STARTTLS=read, info: fds=8/4, err=2
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: from=updates@bmtplus.com, size=598, class=0, nrcpts=1, msgid=201909271327.x8RDR2XG006785@bmtplus.com, proto=ESMTPS, daemon=MTA-v4, relay=localhost [127.0.0.1]
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: milter=opendkim, action=header, continue
Sep 27 13:27:03 bmtplus sm-mta[6786]: message repeated 12 times: [ x8RDR2RC006786: milter=opendkim, action=header, continue]
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: milter=opendkim, action=eoh, continue
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: milter=opendkim, action=body, continue
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: Milter insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bmtplus.com;\n\ts=default; t=1569590823;\n\tbh=X9nDDMk8ef7FqxKsOSkC1HuyACBQECB5E2ZxkvNN2ps=;\n\th=Date:To:Subject:From:Cc:From;\n\tb=dgH6+c5HHrrc7nAdvpwcVAZ11MFgxC4wgISgXvazXqeZ8KsCC0+6HFxY8taMtUjYS\n\t yNA+/9Ycphj6YeCiRyrxG3yTV5BGJryGoVfk/9pODNT/CfH+WhAgPPaC7roniObj0d\n\t XNcvdfvM4nGbmjMKURHcKcXSpMhe6bFegrdwXwuegS4njDDU1A4UCmU0tdiY8pbT2l\n\t jJmguvaASTnqagz+UG84YPhYUgC4pwhcUJuujEIso5U2dqPZ25SC2vlPc9kJyJ5w0f\n\t gLYfXZzKRkA/tAMjJNEKGygJtSzBNDG2EomiP2IL8vIXcn5NLhTboBVH/J90j5ZnW2\n\t cavAluPblfZNA==
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: Milter accept: message
Sep 27 13:27:03 bmtplus sm-mta[6786]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RC006786: --- 250 2.0.0 x8RDR2RC006786 Message accepted for delivery
Sep 27 13:27:03 bmtplus sendmail[6785]: x8RDR2XG006785: to=amitsedai@jagriti.co.in, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30326, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (x8RDR2RC006786 Message accepted for delivery)
Sep 27 13:27:03 bmtplus sm-mta[6786]: STARTTLS=read, info: fds=8/4, err=2
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RD006786: <-- QUIT
Sep 27 13:27:03 bmtplus sm-mta[6786]: x8RDR2RD006786: --- 221 2.0.0 bmtplus.com closing connection
Sep 27 13:27:03 bmtplus sm-mta[6786]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
Sep 27 13:27:03 bmtplus sm-mta[6789]: x8RDR2RC006786: SMTP outgoing connect on bmtplus.com
Sep 27 13:27:03 bmtplus sm-mta[6789]: STARTTLS=client, init=1
Sep 27 13:27:04 bmtplus sm-mta[6789]: STARTTLS=client, start=ok
Sep 27 13:27:04 bmtplus sm-mta[6789]: STARTTLS=client, info: fds=8/7, err=2
Sep 27 13:27:04 bmtplus sm-mta[6789]: STARTTLS: x509 cert verify: depth=1 /C=US/O=Google Trust Services/CN=GTS CA 1O1, state=0, reason=unable to get local issuer certificate
Sep 27 13:27:04 bmtplus sm-mta[6789]: STARTTLS: TLS cert verify: depth=1 /C=US/O=Google Trust Services/CN=GTS CA 1O1, state=0, reason=unable to get local issuer certificate
Sep 27 13:27:04 bmtplus sm-mta[6789]: STARTTLS=client, get_verify: 20 get_peer: 0x55f8a29f2c90
Sep 27 13:27:04 bmtplus sm-mta[6789]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Sep 27 13:27:04 bmtplus sm-mta[6789]: STARTTLS=client, cert-subject=/C=US/ST=California/L=Mountain+20View/O=Google+20LLC/CN=mx.google.com, cert-issuer=/C=US/O=Google+20Trust+20Services/CN=GTS+20CA+201O1, verifymsg=unable to get local issuer certificate
Sep 27 13:27:04 bmtplus sm-mta[6789]: STARTTLS=read, info: fds=8/7, err=2
Sep 27 13:27:04 bmtplus sm-mta[6789]: message repeated 4 times: [ STARTTLS=read, info: fds=8/7, err=2]
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR2RC006786: to=amitsedai@jagriti.co.in, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=120598, relay=aspmx.l.google.com. [IPv6:2404:6800:4003:c03:0:0:0:1b], dsn=5.0.0, stat=Service unavailable
Sep 27 13:27:05 bmtplus sm-mta[6789]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR2RC006786: to=updates@bmtplus.com, delay=00:00:02, mailer=local, pri=120598, dsn=5.1.1, stat=User unknown
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR2RC006786: to=postmaster, delay=00:00:02, mailer=local, pri=120598, dsn=5.1.1, stat=User unknown
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR2RC006786: x8RDR5RB006789: postmaster notify: User unknown
Sep 27 13:27:05 bmtplus sm-mta[6789]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR5RB006789: to=MAILER-DAEMON, delay=00:00:00, mailer=local, pri=0, dsn=5.1.1, stat=User unknown
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR5RB006789: to=postmaster, delay=00:00:00, mailer=local, pri=0, dsn=5.1.1, stat=User unknown
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR5RB006789: x8RDR5RC006789: return to sender: User unknown
Sep 27 13:27:05 bmtplus sm-mta[6789]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR5RC006789: to=MAILER-DAEMON, delay=00:00:00, mailer=local, pri=0, dsn=5.1.1, stat=User unknown
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR5RC006789: done; delay=00:00:00, ntries=1
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR5RB006789: Saved message in /var/lib/sendmail/dead.letter
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR5RB006789: done; delay=00:00:00, ntries=1
Sep 27 13:27:05 bmtplus sm-mta[6789]: x8RDR2RC006786: done; delay=00:00:02, ntries=1
Sep 27 13:27:05 bmtplus sm-mta[6789]: poststats: /var/lib/sendmail/sendmail.st: No such file or directory

2 Replies

Linode Staff

After a bit of digging I found a forum post that has a very detailed explanation of what could be going on here. Let's Encrypt provides a fullchain.pem file which has both the SSL certificate and the certificate chain from chain.pem in the same file. That's useful in some applications, such as for a webserver, but it won't work for Sendmail since it expects only the certificate chain information to be passed to confCACERT. Could you try changing fullchain.pem to chain.pem for that line?

define(`confCACERT', `CERT_DIR/chain.pem')dnl

If that doesn't work, I'd recommend double checking the certificate files to see if they're named something other than cert.pem, privkey.pem, and chain.pem.

Aside from that, it looks like Sendmail configurations may be case sensitive. I didn't find anything that confirmed it explicitly, but every reference outside of the guide you mentioned has
define(`confDONT_BLAME_SENDMAIL',`GroupReadableKeyFile')dnl with GroupReadableKeyFile capitalized. It may be worth changing, just in case.

Thank you @mjones.

I was able to resolve this by doing the following.

  1. Locally Verify the LetsEncrypt chain.pem file
/etc/ssl/certs/certSIGN_ROOT_CA.pem -untrusted chain.pem cert.pem
  1. Change the confCACERT_PATH to local certs directory
define(`confCACERT_PATH', `/etc/ssl/certs')dnl

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct