I am successfully using the Let's Encrypt certs with stunnel4 on my Debian stable system. I'm now trying to use it with the starttls support in qpsmtpd, but I find the documentation for it opaque. The documentation for the configuration command itself says:
tls [ cert_path priv_key_path ca_path dhparam_path ]
Path to the server certificate file. Default: ssl/qpsmtpd-server.crt
Path to the private key file. Default: ssl/qpsmtpd-server.key
Path to the certificate authority file. Default: ssl/qpsmtpd-ca.crt
The instructions for the "tls" option on https://wiki.qpsmtpd.org/plugins gives an example:
server.key (private key) server.crt (signed public key) CA.crt (certificate authority key)
For a self-signed certificate, enter the following line in config/plugins:
tls /full/path/to/server.crt /full/path/to/server.key /full/path/to/CA.crt
For a certificate signed by a CA such as DigiCert, which is signed by Entrust (ie chained):
cat server.crt DigiCertCA.crt TrustedRoot.crt > cert-bundle.pem
tls /full/path/to/cert-bundle.pem /full/path/to/server.key /full/path/to/DigiCertCA.crt
I've tried using Let's Encrypt's fullchain.pem as the first argument to TLS, privkey.pem as the second, and IdenTrust_Public_Sector_Root_CA_1.crt, as the third, and a few other permutations, but I always get the following error in the qpsmtpd log:
Cannot locate cert/key! Run plugins/tls_cert to generate
plugins/tls_cert only generates a self-signed certificate, so that's no help.
Does anyone have any suggestions as to what options I should use to get qpsmtpd to use my certificate?