[bug]: TLS should provide the full cert chain for TSLA type 2 records to work

[williamdes]

What happened?

Ref: #397

found 2 secure addresses for "mx2.mails.wdes.eu" at "mx2.mails.wdes.eu.": [2a10:4646:c:56::1 2.57.253.83]
found 2 TLSA records for "_25._tcp.mx2.mails.wdes.eu."
  2 0 1 69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470 ; ISRG Root X2
  2 0 1 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6 ; ISRG Root X1
[mx2.mails.wdes.eu 2a10:4646:c:56::1] issuing STARTTLS [port 25]
[mx2.mails.wdes.eu 2a10:4646:c:56::1] STARTTLS failed: danetls: no trust anchors matched certificate chain
[mx2.mails.wdes.eu 2a10:4646:c:56::1] QUIT failed: danetls: no trust anchors matched certificate chain
smtpdane: encountered 2 errors

How can we reproduce the problem?

As I can see on https://www.huque.com/bin/danecheck

mx1.mails.wdes.eu works fine (classic postfix/dovecot)
but mx2.mails.wdes.eu does not.
You can see in the transcript that stalwart does not send the full chain.

DNS_RESOLVER="1.1.1.1, 1.0.0.1" smtpdane -4 -quiet -nocolor -helo status.wdes.eu mx2.mails.wdes.eu

Version

v0.8.x

What database are you using?

None

What blob storage are you using?

None

Where is your directory located?

None

What operating system are you using?

None

Relevant log output

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[mdecimus]

Do you mean the TLSA DNS records created by Stalwart? Rustls should provide the full chain, you can verify this with openssl.

[williamdes]

Do you mean the TLSA DNS records created by Stalwart?

No, I created them myself. But they should be the same idea.

Rustls should provide the full chain, you can verify this with openssl.

I verified and as you can see on the transcript: the CA cert is mising

[mdecimus]

As you can see here, Stalwart returns the full certificate chain.

Your server is correctly returning the CA's cert:

% openssl s_client -starttls smtp -connect mx2.mails.wdes.eu:25 -showcerts
Connecting to 2.57.253.83
CONNECTED(00000005)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E6
verify return:1
depth=0 CN=mails.wdes.eu
verify return:1
---
Certificate chain
 0 s:CN=mails.wdes.eu
   i:C=US, O=Let's Encrypt, CN=E6
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jun 12 18:32:44 2024 GMT; NotAfter: Sep 10 18:32:43 2024 GMT
-----BEGIN CERTIFICATE-----
MIIDjDCCAxKgAwIBAgISA5MKZ/xJazqxXoa+My6LhFwqMAoGCCqGSM49BAMDMDIx
[...]
HSERM2MNIdmeN25uJ2ekFfpDHn+KnwuVtkMyBcToSnjh+KR4kCkmkwG6zwpeAISQ
-----END CERTIFICATE-----
 1 s:C=US, O=Let's Encrypt, CN=E6
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
[...]
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
---
Server certificate
subject=CN=mails.wdes.eu
issuer=C=US, O=Let's Encrypt, CN=E6

[williamdes]

Hmm yes, but C=US, O=Internet Security Research Group, CN=ISRG Root X1 is missing. How can I add the CA to the chain?
I do not want to have to set the TSLA record for E6 as it could change between renewals

[mdecimus]

If you are using ACME you can't, the chain provided is exactly what Let's Encrypt issued. If you are specifying a certificate manually it has to be present in the file.

[williamdes]

If you are using ACME you can't, the chain provided is exactly what Let's Encrypt issued. If you are specifying a certificate manually it has to be present in the file.

That's quite problematic. Can you check if you can request the CA cert to ACME ?
I am pretty sure they send it, on acme.sh it is saved

For now I will have to add E5 and E6: https://letsencrypt.org/certificates/

[williamdes]

I got it working, but having the CA is clearly was less complicated.
Look at this mess 😄

found 2 secure addresses for "mx2.mails.wdes.eu" at "mx2.mails.wdes.eu.": [2a10:4646:c:56::1 2.57.253.83]
found 5 TLSA records for "_25._tcp.mx2.mails.wdes.eu."
  2 0 1 065ab7d2a050f947587121765d8d070c0e1330d5798faa42c2072749ed293762
  2 0 1 5dfdb3cf31b26f23d87c09f3a0cef642f64069a9fb7cfe29270bb5dc0f1e16bb
  2 0 1 69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470 ; ISRG Root X2
  2 0 1 76e9e288aafc0e37f4390cbf946aad997d5c1c901b3ce513d3d8fadbabe2ab85
  2 0 1 e788d14b0436b5120bbee3f15c15badf08c1407fe72568a4f16f9151c380e1e3
[mx2.mails.wdes.eu 2.57.253.83] issuing STARTTLS [port 25]
[mx2.mails.wdes.eu 2.57.253.83] hostname "mx2.mails.wdes.eu" has 1 chains to TA; first length 2, is: ["mails.wdes.eu" "E6"]
[mx2.mails.wdes.eu 2.57.253.83] TLSA DANE-TA(2) match against chain position 2: 2 0 1 ...d3d8fadbabe2ab85

I had to put E5/E6 signed by X2 and E5/E6 signed by X1

[mdecimus]

I've checked on mail.stalw.art and it also has just two certificates. I couldn't find an option to request the full chain in either RFC8555 or RFC2986. Perhaps PKCS #10 has an extension for this but I couldn't find it.

[williamdes]

I guess there is some smart code doing it: https://github.com/acmesh-official/acme.sh/blob/0d8a314bcf32c7705f0be11527d34d3b4ce0fa79/acme.sh#L5196

The bash code suggests that at download time there is 3 certs and it splits it into 3 files