Dovecot issues regarding: Intermediate/chain certificate to link it to a trusted root certificate

Hi All

I've looked through the forums but haven't found something that has solved my problem. I've installed Letsencrypt, but the only problem I'm having is with my dovecot server. Going into https://www.sslshopper.com/ssl-checker.html I checked my site. Postfix is working well, however my dovecot isn't - this is on port 995. The error says:
"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate"
However from reading around, I gather that dovecot needs a fullchain.pem file, and then a link to the private key. I have both in there, and double checked they are correct, however still getting the error from sslshopper.com....
Here is my /etc/dovecot/conf.d/10-ssl.conf file:

#SSL settings

#SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

#PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
#dropping root privileges, so keep the key file unreadable by anyone but
#root. Included doc/mkcert.sh can be used to easily generate self-signed
#certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/dovecot/private/fullchain.pem
ssl_key = </etc/dovecot/private/privkey.pem

#If key file is password protected, give the password here. Alternatively
#give it when starting dovecot with -p parameter. Since this file is often
#world-readable, you may want to place this setting instead to a different
#root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

#PEM encoded trusted certificate authority. Set this only if you intend to use
#ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
#followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =

#Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes

#Directory and/or file for trusted SSL CA certificates. These are used only
#when Dovecot needs to act as an SSL client (e.g. imapc backend). The
#directory is usually /etc/ssl/certs in Debian-based systems and the file is
#/etc/pki/tls/cert.pem in RedHat-based systems.
ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =

#Request client to send a certificate. If you also want to require it, set
#auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

#Which field from certificate to use for username. commonName and
#x500UniqueIdentifier are the usual choices. You'll also need to set
#auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

#DH parameters length to use.
#ssl_dh_parameters_length = 1024

#SSL protocols to use
#ssl_protocols = !SSLv3

#SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

#Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = no

#SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =

#SSL extra options. Currently supported options are:
#no_compression - Disable compression.
#no_ticket - Disable SSL session tickets.
#ssl_options =

My fullchain.pem file:

Blockquote
-----BEGIN CERTIFICATE-----
MIIFVjCCBD6gAwIBAgISA8LOeeMAYZRTjn3OqhVeITXhMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA0MTAwNzM4MjJaFw0x
OTA3MDkwNzM4MjJaMBsxGTAXBgNVBAMTEG1haWwxMC5pZDgucm9ja3MwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWCVVRRM/xza8yMAIQy6oPR5wN1v/l
DWJguO2z/l1AI/ynLpNFXcUCREiOhJ6MYfJhlflQ0W4S4DRyVwlfbfPq5GXLuu7p
yRgH2c/mI+4q4pED+P7zcsmrL7hMHLHrKkzMtuAk65XxkCMMFPFtpaEyKwUBPQhY
YAYE2mkjp6kvUv9VPkQwroJYv7jH61eC6NcjjrN4dRCYY+fecOTV6lsT74VY0TxC
xBvE6RTOInA4gVhBf3IWTdkfD66ijr2sfpSeBd/vo1L7zQ93kNQrbb6ankAypEtR
0mziA1CeW5qLDGSPKSiFs91w0XjfzuN30cmNgi3MZQgwINK3steekkhBAgMBAAGj
ggJjMIICXzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJidRozkDCmiWrqT39UJzXAN
ttz3MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wGwYDVR0RBBQwEoIQbWFpbDEwLmlkOC5yb2NrczBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AHR+2oMx
rTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABagZl5n8AAAQDAEYwRAIgSxuB
azxtCFhKHmm7kDkpQ5y6JQ6lh8V4QA1yc3W4qiICIA7zRfQFJeCFjgQ/54aVliNm
GuZ+4c5y0HJ2x3e06m2NAHUAY/Lbzeg7zCzPC3KEJ1drM6SNYXePvXWmOLHHaFRL
2I0AAAFqBmXnBwAABAMARjBEAiAX7o1tawQjzQzQmhqaBMaX4rWL0blJhnNgy+4c
xcBskQIgEamsQcggR4ar95rq/+UBmw5A98Fv76vZIAotjMmZp2owDQYJKoZIhvcN
AQELBQADggEBAGsueSMFt9dXS+Pjcx/9AYOiOf4tg+9eg4oc0U/YRHvnS+6zL7iy
QVEStnWRIZPBpfSS0tX1CA1H3MOKcNBFWVlG3T0rojsvX6Jct+H2qDlS9HADRnAb
uyL1KmXVguA/YJP2P6/A/jKGXHU0AwECZKgc8t6//1u9jqu4NtMUqUfkBuFKv2r0
/dAyK3Ldry7/AM+mjJgA0SySLaUA4AO8n6UoTA8HSlA/vQl44PShesdj8llPiLO4
PrkD3Lv2ikkejoM3PXsVw8+xtTjYU7lnFKAHa+9DkW1WrrxRv9cvLnaf7Hp/s7wn
glMJY48/QO1niZ3Q95/4vbNOYwh3L1JsU7c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

then my privkey.pem file

Blockquote
-----BEGIN PRIVATE KEY-----
[redacted]
-----END PRIVATE KEY-----

So the question is, why is this not working correctly.
I'm using virtualmin, but this shouldn't make a difference, as it uses standard config files etc.

Any help would be appreciated.

I’ve edited the private key out of your post, but if it was the private key for a real certificate, you need to revoke it, and issue a new certificate with a new key.

@mnordhoff oops - sorry that was my mistake, wasn’t even thinking…
I’ll redo my certificate now…

it’s signed by LE x3, so it’s real cert

@mnordhoff I’ve revoked as per the link you sent, thanks. Just checking though. I’ve re-requested from letsencrypt, and my public key looks the same as the old one… is this correct - as I would suspect that this would need to be different?

@orangepizza
Yes when I looked at the certificates, they did look correct, but that is why I wondered why https://sslshopper.com showed an error, but only regarding dovecot?

Hi, just giving this a bump for the Dovecot gurus out there…

The key looks different to me, what makes you say it looks the same?

I can see that your server is only sending the leaf certificate and not the intermediate, but I don’t know why, sorry My 10-ssl.conf is identical to yours (except for the filenames) and is serving the intermediate as expected. I’m not using virtualmin though. Maybe the filename is overridden in another configuration file?

Is virtualmin obtaining the certificate? Or are you using something else e.g. certbot?

Hi @jmorahan
Sorry for getting back to you so late, unfortunately I never received a response in my email to this thread…So not sure if the notifications weren’t working. Just came back now to see if I could find something else, and got your response.
Regarding the certificate, yes I had assumed that it looked correct. I’ve sent a message to the virtualmin support forum, but have not received a reply on that one.
I’m currently using virtualmin to generate the Letsencrypt certificate. This is working well generally, but the dovecot issue is something I’m trying to work around. I’m fairly new to virtualmin, so still learning the ropes there, but I’ve tried a whole lot of things. The other thing I could maybe try is using certbot instead, however I was loath to do this, as I’d then have to set up some cron jobs etc to get it all working correctly - as in getting the updated certificates etc. Does certbot handle the updates by itself, or would I need to set up a cron job etc?

Hi All

I’ve managed to find a solution. This could just be applicable to the virtualmin implementation.
Basically there seems to be a configuration error with virtualmin, not sure on other systems. In the dovecot.conf file, it seems that virtualmin is placing entries under the “!include_try local.conf” section. Basically this points to certs for individual virtual servers that are created. What is happening is that the cert is pointing to: /home/username/ssl.cert, whereas it should be pointing to /home/username/ssl.combined. This is causing issues that I was having with dovecot. I went in and commented out the section for the mail server I set up, and now everything works correctly. I did have the correct entries in /etc/dovecot/conf.d/10-ssl.conf pointing to the certificates, but the issue above in /etc/dovecot/dovecot.conf was causing the issues.

Hope this helps others out there.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.