Symptoms
-
Comodo/Sectigo certificate is installed for the mail service. Connections to the mail server with Webmail, PhpMailer or just with Mail Clients fails.
-
Attempt to manually connect to SMTP port 465 with SSL shows “certificate expired” error and “AddTrust External” certificate:
# openssl s_client -connect example.com:465
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
Verify return code: 10 (certificate has expired) -
Attempt to activate Comodo ModSecurity rules under Tools & Settings > Web Application Firewall (ModSecurity) shows an error:
PLESK_ERROR: URLErrorWrapper: Error interacting with
https://waf.comodo.com/doc/meta_comodo_apache.yaml: <urlopen error [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>
Unable to download comodo_free rule set
Cause
TLS clients stopped working correctly when connecting to servers which use a certificate chained to the Sectigo root CN = AddTrust External CA Root on May 30, 2020. Here is Sectigo announce on that.
Resolution
To fix the issue explicitly disable the expired CA certificate.
CentOS:
Warning: There is no workaround for CentOS 6.
-
Login to the server with SSH.
-
Update ca-certificates package on the server:
# yum update -y ca-certificates
Debian/Ubuntu:
-
Login to the server with SSH.
-
Execute the below command:
# apt update && apt -y install ca-certificates
If the package itself is up to date
Try to update the trusted certificates:
CentOS:
# update-ca-trust
Debian/Ubuntu:
# update-ca-certificates
with