Android email client does not trust the certificate


#1

I configured an email server (mail.leoterra.com.ua) and I use Let’s Encrypt certificates for setting up TLS connection.

On the server side I configured Postfix+Dovecot.

Connecting to the mail server over Thunderbird works perfectly fine, but when I try to configure an Android email client to connect to the server, it complains about untrusted certificate and shows following error message.

Certificate not trusted
Subject: mail.leoterra.com.ua
Issuer: Let’s Encrypt Authority X3
Valid from: Sep 4, 2018
Expires on: Dec 3, 2018
Current date: Oct 13, 2018
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISA682DEqBSAvOCNCUNDaMERP/MA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNV
BAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQDExpMZXQncyBFbmNyeXB0IEF1
dGhvcml0eSBYMzAeFw0xODA5MDQyMTQ0NTBaFw0xODEyMDMyMTQ0NTBaMB8xHTAbBgNVBAMTFG1h
aWwubGVvdGVycmEuY29tLnVhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr4t78erJ
R8/V9zmwSrJqxZusLVHSwu0+ev/Zb7T+N1dXhas7xxssvghjsLiinnzYVgj0Mc1w3KBYEM4oUvSg
fUPodnsQd0ButqJY5ksGAWwfVgg5JB1LEI2Lh2B9P1LRR218V4I/Hg7EbDZawDBl/fbWtK2UqavS
4nyXBxnnodoQgOJWeXFtD3crx/+hCxX/mheEeJ02tO3BBKx8nNs195UPtr+pvjXGYCekFeKdE3SU
zfoWsTTdabmUSWRtQ4muRfm+nj+Njp1omzZ4Ev1ZblNyM/0G6mwlxqt3mUhC88aVxDK5EOu+SO+A
RFJcuUAwAbXFO9tntF4bcG3Y72bmbQIDAQABo4IDNDCCAzAwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRg5D8Nxfrr
kkNA2u3t6GUV4jRdTjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYI
KwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMDYGA1UdEQQvMC2C
FW1haWwubGVvc3BoZXJlLmNvbS51YYIUbWFpbC5sZW90ZXJyYS5jb20udWEwgf4GA1UdIASB9jCB
8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5
IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNl
IHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0
Lm9yZy9yZXBvc2l0b3J5LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ANt0r+7LKeyx/so+cW0s
5bmquzb3hHGDx12dTze2H79kAAABZabCg0AAAAQDAEcwRQIgQILElnvWWTrRbjD4LnjKJ6y7FY3g
NxfCgi0eHbqg/ZsCIQCJRozysDdTpNUdl44lQWOkQat62bwnxWyZAXhnar5wHQB3AKRQEmkFWhVU
XmIRqze8ED9irlV2pF5LFxRFPhsiEGolAAABZabCg1EAAAQDAEgwRgIhALtMZ3u6KgqLWmx7Vkdv
LGYVIrabI8OJvTa+aDJqpsynAiEA7mbiLcHOMJ62vNiTOjONuwM3XBHKAIJRhkUjRszw9VEwDQYJ
KoZIhvcNAQELBQADggEBAEhyIUMJfYM/1sVnOeOO1inBYRx9siTY0+ZY4EAJ6wdxx4Fzeyrvdd2G
l1BOnf+4hufJUzXJ5JsKTN7HcOmXHthOznHZkLQSc22B2k1lXzh3CpOPIsnDQJ/EhY+kYE5o/glK
wmH/u6kHNUifxi5KQF90CaIhrWoUz8GBiBr/A5jwoeiYZgJq2O5ugbmd6eKYI50KU38CbWwez5dv
dLb+qrnB+1aruiRBguMCpEWiIM/eFktFfQ1LCNV9BByF+y+D6GBlCAIa+sQLWtWyFp6bQHK+iKpa
PG9IeqpFDJJVUiwphC8k2n9KZU9wwwpES5Bqrp55m2pSPHy47cuFUP24j6Y=
-----END CERTIFICATE-----

Unfortunately this message does not give me insight into the root cause of the problem.

I also have another server for upper level domain (leoterra.com.ua) that has another letsencrypt certificate and that hosts an http-server. Maybe this is the source of confusion for GMail?

In /etc/postfix/main.cf I have:

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.leoterra.com.ua/cert.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.leoterra.com.ua/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=encrypt
smtpd_tls_protocols = !SSLv2, !SSLv3

In /etc/dovecot/dovecot.conf:

ssl=required
ssl_cert = </etc/letsencrypt/live/mail.leoterra.com.ua/cert.pem
ssl_key = </etc/letsencrypt/live/mail.leoterra.com.ua/privkey.pem

Would be glad if you helped me to find the root of the problem.


#2

Try changing both of those from “cert.pem” to “fullchain.pem”.