How to set up Postfix with Let's Encrypt certificates for GitLab?

A

Andrei Vukolov2018-06-21 19:30:32

postfix

Andrei Vukolov, 2018-06-21 19:30:32

I'm asking for help on the following issue: I'm trying to teach Gitlab to send outgoing mail via SMTP with TLS support. The server configured, but the certificate does not want to be recognized. When connecting via pure OpenSSL I have the following output:

$openssl s_client -starttls smtp -crlf -connect ***********************:587

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ***************
verify return:1
---
Certificate chain
 0 s:/CN=*************************
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
*
*
*
-----END CERTIFICATE-----
subject=/CN=**********************
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3596 bytes and written 466 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ******************************************
    Session-ID-ctx: 
    Master-Key: ***********************
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 
**************************
    Start Time: 1529598140
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 SMTPUTF8
quit
221 2.0.0 Bye
closed

The Gitlab logs are as follows:

Started PUT "/gitlab/profile/emails/3/resend_confirmation_instructions" for ***.***.***.*** at 2018-06-21 19:27:46 +0300
Processing by Profiles::EmailsController#resend_confirmation_instructions as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]", "id"=>"3"}

Sent mail to ***************@gmail.com (15.0ms)
Completed 500 Internal Server Error in 55ms (ActiveRecord: 1.5ms)

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed):
  app/services/emails/confirm_service.rb:4:in `execute'
  app/controllers/profiles/emails_controller.rb:28:in `resend_confirmation_instructions'
  lib/gitlab/i18n.rb:50:in `with_locale'
  lib/gitlab/i18n.rb:56:in `with_user_locale'
  app/controllers/application_controller.rb:362:in `set_locale'
  lib/gitlab/middleware/multipart.rb:95:in `call'
  lib/gitlab/request_profiler/middleware.rb:14:in `call'
  lib/gitlab/middleware/go.rb:17:in `call'
  lib/gitlab/etag_caching/middleware.rb:11:in `call'
  lib/gitlab/middleware/read_only/controller.rb:28:in `call'
  lib/gitlab/middleware/read_only.rb:16:in `call'
  lib/gitlab/request_context.rb:18:in `call'
  lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'
  lib/gitlab/middleware/release_env.rb:10:in `call'

How to properly configure the entire bundle so that Postfix correctly recognizes all certificates?