Let’s Encrypt issue “unable to get local issuer certificate” since Nov 24 2020

I just stumbled across an issue with Let’s Encrypt certificates being used on my personal server for securing IMAP and SMTP. I decided to share it here since, in my opinion, it’s a hard to grab nut because I did not really find clear articles pointing this out during my own debugging.

What has happened?

A few days ago, a friend of mine, with who I share my personal Mailserver, contacted me telling me that out of a sudden his Android Mail app (K-9 Mail) stopped working. At the same time, I had no issues with Thunderbird on MacOSX Big Sur, nor Apple Mail on iOS 14.2 nor Roundcube.

Anyways, I started to verify everything: I looked for the state of certificates, from Let’s Encrypt to verify certbot didn’t fail to refresh them, I checked the Dovecot configuration if it is configured to use the appropriate SSL certs, I checked the content of the SSL certs used on the server using OpenSSL ( openssl x509 -in certificate.crt -text -noout ); all appeared OK and I had to tell my buddy that I do not have a clue what his issue might be.

Today, I did something that I rarely do: I started my Thunderbird Mail app on my Windows 10 Gaming PC. Since it’s my gaming PC and the only Windows PC I have in use, I didn’t do this in my routine earlier. I noticed that I had zero emails in my Inbox.
That’s not a too uncommon thing, since I do a quite good job at keeping my Inbox clean by sorting read mail into subfolders. But this time, I knew there is mail since I checked on Apple Mail before.

Where are my emails?? 

Now I was able to reproduce it. Again I searched for an issue on my server but – nothing found! Everything seemed correct. Also, I am running the same setup for several years now and didn’t change anything lately; so: why should it break?

The reason

… Maybe I didn’t change anything, but it turned out: Let’s Encrypt did!

This time, I also tried to grab the certificate from “the outside”, using OpenSSL on my Mailserver, but pointing to its official public DNS name instead of checking the cert by its local file:

Aha – the server itself seems to have some trouble with the local copy of the issuer certificate?
I then checked the journald entries:

By sheer luck, I found this article in the Let’s Encrypt blog, informing about that they introduced a new intermediate signing instance around November 24th 2020.
I already noted that the certificate issuer in my browser instances now says “R3” for some of my sites instead of “Let’s Encrypt“, but since that worked without any issues, I didn’t pay too much attention. But for some reason, it seems to cause trouble with some IMAP clients / operating system combinations out there.

The solution

For me (Thunderbird on Windows 10), it solved my issue to download and import the R3 intermediate certificate from https://crt.sh/?id=3479778542 (the link they named in their blog post – click on “Certificate”). Out of a sudden, Thunderbird acted as if there hadn’t been an issue before.
You can import that certificate into the Windows certificate store by double-clicking on it. But that’s not enough for Thunderbird: Since it uses its own certificate store, you need to import it to Thunderbird as well:

Go to Menu (3 black bars in the upper right corner) -> Options -> Privacy & Security -> Scroll down to “Security” and click “Manage certificates…“. In the “Certificate Manager” dialogue, click “Import …” and select the downloaded *.crt file.

That should do the trick.
I hope this quick-tip saves you some time and headaches.

Fix for audio mutes at low volume in Linux

Recently, I had the issue with my Mint Linux machine’s audio that when the volume of what is played dropped below a threshold, that channel was muted completely. I experienced this especially unpleasant when I had my headphones on since in passages with low volume, the sides switched from “low volume” to “completely off” independently multiple times each minute. It sounded as if there was a broken cable causing a loose contact.

After some searching, I found the solution here:
This can be solved by editing the pulseaudio configfiles as user root. First open the following file in your prefered texteditor as root:

In that file, locate the section “[Element PCM]”. On my Linux Mint 18.3 system, this looked like this:

Change this to the following:

 

 

The original article suggests to experiment with the volume-limit  value but for me, this worked already perfectly. So I did not invest too much time validating this.
I’d love to provide additional details on what these parameters are doing in detail actually, but the truth is that I could not find that info anywhere! I checked the comments in the source code, but these describe a completely different meaning for this:

Feel free to add this info to the comments and I will update this article.

The author of the original forums article which inspired the original article‘s author to his article mentioned additional measures:

Also, adding “ ignore_dB=1”:

load-module module-udev-detect ignore_dB=1

in ‘ /etc/pulse/default.pa’ (line 53~) and setting:

flat-volumes = no

in ‘ /etc/pulse/daemon.conf’ did make the volume control more usable for me.

I can only tell that I did not need any of these to make the issue go away, but maybe this is a valuable info in case this doesn’t work for you like it did for me.

After the changes are in place, you need to restart the PulseAudio daemon as your default user. You do not need to be root for this:

When I did that, my music stopped immediately and I could not make it work again without a restart of the system;  pulseaudio --start  did not work either. But since that restart of the system, I do not have any drops even at the lowest volumes anymore.

Updated Docker image derjudge/confluence

Confluence Logo

Hi everyone!

This is just a short notice to let you know, that I just updated my Docker image derjudge/confluence to provide the most recent version of Confluence (6.10.1) and Java 8 (8u181). Enjoy!

derjudge/confluence is a Docker image which provides Atlassian Confluence in a single “batteries included” Docker container.
Please find additional details on the Docker Hub page of the image and feel free to report any trouble using the bugtracker at Bitbucket.

 

Fix missing Google calendars in Evolution / CalDAV

Google Calendar and Evolution Sync

Me and my wife both use Google calendars to organize our daily schedule. Also, we share these calendars with each other, to see each other’s appointments. This way, we do not clash each other’s plans by accepting appointments in the same, concurrent time slots.

Recently, we found that not all of her calendars were offered to me in Evolution. After some digging, I found the solution and I’m going to explain it in this article.

Since some people in charge (note that I did not mention “we” 😤) decided to switch to Office365, I need to use Evolution PIM on my Linux machine to have a slightly enjoyable Exchange-experience, at least. The other solutions, like DavMail for example, worked basically but proved to be too error-prone and slow for my taste; more often than never, Mails I archived in Thunderbird with DavMail in between showed up again after some Minutes and it took ages for any action.
However, somehow I could not select all of these foreign “shared” calendars, my wife shared with me – they simply were not listed in the select dialogue.

How to solve this

I finally found the solution to this issue here: It turned out that it’s not Evolution’s fault; instead, Google does not advertise (list) these calendars by default. You first have to change this (quite confusing) default setting at the following location:

https://www.google.com/calendar/syncselect

Please mind the lower list on that page; this should be a complete list of calendars shared with you. Select those you want to be able to access in CalDAV based clients (including Evolution) and save your selection. Your changes should be effective, immediately.

I hope this is helpful to some – Please let me know in the comments✌

Fixed my most popular Docker Image

Confluence Logo

Today, I’d like to announce that my most popular Docker Image derjudge/confluence, a batteries-included solution to get Atlassian Confluence up and running with a mature database (PostgreSQL) as storage backend in seconds, has been fixed and updated.

  • It ships with the most recent version of Confluence now, which is 6.8.1.
    The image was not updated since Confluence version 6.0.2 before … sorry for that!
  • PostgreSQL version was updated to 9.6.
    Since Atlassian has decided to finally support this version, I declared it to be the version of choice in my image, too. It was set to be 9.4 before.
  • JAVA version was updated to 1.8.0_162.
    This has been 1.8.0_112 before.
  • Underlying Debian release was updated to “stretch”.
    This was “jessie” before.

I have to admit this had not really received some love, recently … but to my defense: I do not use it for hosting Confluence myself, currently. Not that I do not like to taste my own poison, but the infrastructural environment my hosting is built up in does not need it, currently. So I do not really realize if anything breaks (which was the case with PostgreSQL not launching, recently).
Also, nobody got in touch with me, telling something is wrong; the first note on this issue (PostgreSQL not working) I received by mail on 2018-04-12 at 11:04 CEST (thank you, Michael Bykovski from //SEIBERT/MEDIA!); on 2018-04-13 at 20:13 CEST the fix has been made, the formerly listed updates were applied, a new Image tag was created for this new release and the image was built, successfully.

I wonder a bit why nobody has done before: The Image has 50K pulls (WOW – thank you!! ), the PostgreSQL issue seems to has been in there since December 2016 (!) and both, my E-Mail address and the link to my source repository which has an issues reporting feature are both prominently available to the images Docker Hub page.
Guys: I can only fix things I know of, so:

Please utilize the tools offered to get in touch!

I hope I’ll find the time to push newer versions more often, proactively in the future. If I miss something: Feel free and actually invited, to poke me! 😉

Hello World!

Time to start a new Blog with a “Hello World!” post!

Let’s start with some technical, personal and historical background about my IT journey so far (even no one will be interested enough in this to read the whole article, though. And you know why I do it anyway? Because I decide so, it’s only about me to decide what is put here and what isn’t and there’s nothing you can do about 😛).
You digital-native-social-network-scum can search for some “Dislike 👎 or Report 📢” buttons as long as you like – this page was made by elders for elders 🧓 (quoth the 35 years old author), who went through the dark ages of the Internet, including connection breakdowns, because some other member of the household picked up the phone and interrupted your dial-up connection.

My first steps into the IT

I started to explore computers in 1994/1995  Continue reading “Hello World!”