Certbot creates cert.pem without intermediate certificate

Fin80 · August 10, 2023, 1:00pm

I ran this:
I use certbot to renew certificate for mail server. I installed certbot, and for a first sight the renewing of certificate works, but not all applications accepts certificate after renewal and show old certificate (e.g. Mozilla Thunderbird, Apple Mail). If we try to check certificate with SSL Server Test (Powered by Qualys SSL Labs), it will say OK.

It produced this output:

The problem is that cerbot includes in file cert.pem only first intermediate certificate, but not second. in file (in fullchain there are a chain of 3 certificates). So I have to manually add second certificate in file cert.pem to make things work.

Could you please answer, how to automatically include 2 certificates in cert.pem with cerbot? Thank you!

My web server is (include version):

The operating system my web server runs on is (include version): SMP Debian 4.19.146-1 (2020-09-17) x86_64

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

orangepizza · August 10, 2023, 1:01pm

cert.pem is just leaf certificate, fullchain.pem is what you are looking for

Fin80 · August 10, 2023, 1:03pm

Indeed I have to manually copy the second intermediate certificate from fullchain to cert.pem. Without it Thunderbird will not work.

orangepizza · August 10, 2023, 1:04pm

chain.pem = just intermediates
cert.pem = leaf certifiate
fullchain.pem = leaf+intermediates

you just handcrafted fullchain.pem by hand

Fin80 · August 10, 2023, 1:30pm

Yes, there are 3 files you've mentioned. To make things work:

Fullcain contains 3 certificates,
chain.pem should contain 2st and 3rd certificates from fullchain,
cert.pem should contain 1st and 2nd certificates from fullchain

But if cert.pem on server contains only one certificate, it will not work for e-mail clients.

What should I do to make it automatic during renewal process?

orangepizza · August 10, 2023, 1:32pm

if you want to use short chain ask it by

--preferred-chain "ISRG Root X1"

option, it will remove isrg x1 signed-by dst x3 from the chain and fullchain file

9peppe · August 10, 2023, 1:33pm

No. Cert.pem always contains one certificate. Fullchain contains N certificates, and Chain contains N-1.

N can vary according to what @orangepizza said.

Fullchain is literally cat chain.pem cert.pem

Fin80 · August 10, 2023, 1:37pm

@9peppe

Why Thunderbird and Apple Mail won't accept this? Thunderbird shows expired previous certificate.

9peppe · August 10, 2023, 1:40pm

Because they need the rest of the chain, to link your certificate to a trust anchor.

At the very least you need to send your leaf certificate and the first intermediate (which is chain.pem if you use --preferred-chain as above)

If you don't use --preferred-chain you will get the current default chain.pem, which includes two intermediates, which is fine too.

But either case you have to send either cert and chain or just fullchain.

What is the server software you're trying to configure?

Nekit · August 10, 2023, 1:43pm

Edit: Turns out it's a bundled solution that does have postfix in it, but manually changing just the postfix conf may damage things, this post of mine may be disregarded?

If it's postfix: it requires having a privkey and a chain in a single file, I'm having this bit in my deploy hook to get such a file:

[…]
cd "$RENEWED_LINEAGE" || exit 1
cat privkey.pem fullchain.pem >fullbundle.pem
[…]

Fin80 · August 10, 2023, 1:43pm

I use iRedMail (on nginx, postfix, dovecot etc)

orangepizza · August 10, 2023, 1:45pm

https://docs.iredmail.org/use.a.bought.ssl.certificate.html

RHEL/CentOS:

mv /etc/pki/tls/certs/iRedMail.crt{,.bak}       # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/pki/tls/private/iRedMail.key{,.bak}     # Backup. Rename iRedMail.key to iRedMail.key.bak
cp fullchain.pem /etc/pki/tls/certs/iRedMail.crt
cp privkey.pem /etc/pki/tls/private/iRedMail.key

Debian/Ubuntu, FreeBSD and OpenBSD:

mv /etc/ssl/certs/iRedMail.crt{,.bak}       # Backup. Rename iRedMail.crt to iRedMail.crt.bak
mv /etc/ssl/private/iRedMail.key{,.bak}     # Backup. Rename iRedMail.key to iRedMail.key.bak
cp fullchain.pem /etc/ssl/certs/iRedMail.crt
cp privkey.pem /etc/ssl/private/iRedMail.key

9peppe · August 10, 2023, 1:47pm

No, it doesn't

petercooperjr · August 10, 2023, 1:50pm

The preferred solution for Postfix is having both private key and full chain in one file, only because then one can update the file atomically, avoiding having processes during the time that a certificate is being renewed which load one key but a different certificate. But you can configure postfix with them in different files just fine.

Nekit · August 10, 2023, 1:50pm

Well, maybe so. But the docs sugest

With Postfix ≥ 3.4 the preferred way to configure server keys and certificates is via the "smtpd_tls_chain_files" parameter.

Edit: @petercooperjr beat me by a few seconds

9peppe · August 10, 2023, 1:52pm

Ok. What a mess. Somebody should probably open an issue with the generator.

orangepizza · August 10, 2023, 1:52pm

but he's using a bundle for smtp/imap and (possibly webmail) editing postfix setting directly would be like edition apache config in a cpanel server: while it can it won't go well

Fin80 · August 10, 2023, 1:53pm

Thank you! Unfortunately some guys use Apple Mail with similar problem

About Use a bought SSL certificate.
I believe "cp fullchain.pem /etc/ssl/certs/iRedMail.crt
cp privkey.pem /etc/ssl/private/iRedMail.key" are not used.
files in /etc/ssl/private/*** are used:

9peppe · August 10, 2023, 1:57pm

I am not sure I like what I read here, but I suppose it works

https://docs.iredmail.org/letsencrypt.html

Fin80 · August 10, 2023, 2:02pm

I'm not sure what I'm failing to do in this doc Request a free cert from Let's Encrypt
because all works except what I mentioned.