When entering the fullchain.pem certs, I'm getting
BER: residual data after 'constructed' data
That's in the GUI of the Communigate Mail Server. This used to work flawlessly in the past, but this seems to be an error preventing me from
fullfilling the cert update. Any ideas?
This sounds like you're doing some sort of manual process, which already means you're doing something out of the ordinary. Can you be a lot more specific about what actions you're taking?
My wild guess is that whatever backwards system you're using that requires some manual intervention to install a certificate is backwards enough to only support RSA certificates, and you're now requesting an ECDSA one for some reason. But that's just a wild guess.
Thanks. Yes, I'm doing a manual process using the GUI to import one after the other, the privkey.pem, cert.pem and finally the fullchain.pem into the mailserver environment.
From where do you conclude that it's an ECDSA (whatever that is) I'm now requesting? Is it the
text BER: residual data after 'constructed' data leading to that?
BTW, the server works with the new certs. The fullchain.pem got accepted. So just a "glitch" that can be ignored?
It was just a random guess, since sometimes systems that only expect RSA keys to exist give weird messages when they can't parse other kinds of keys.
BER is the encoding format used for most certificate files, so an error with not understanding the BER data means that it doesn't understand something. Though maybe it's not understanding that the certificate doesn't have a OCSP URL embedded anymore. Again, just wild guesses, it's hard to know what your system is meaning with so little to go on.
This does suggest some sort of certificate parsing error within Communigate, but that error alone isn't enough information to know what it's unhappy about.
I think you will have to talk to the authors of Communigate to figure out where that error comes from.
If you are uploading cert.pem and privkey.pem you may be confusing it by uploading fullchain.pembecause that will also include your cert, plus intermediates. For the CA bundle you perhaps just want chain.pem.
Check that your private KEY is RSA because googling their docs suggest they only talk about RSA keys.
[Edit: some software also relies on the presence of Common Name CN in the certificate structure, but that's deprecated and in some cases removed, so check that's there]