Intermediate certificate for Let's Encrypt

yumihiime · October 31, 2016, 3:33pm

I have set up Let’s Encrypt encryption on my server, and thereafter a tutorial to set up a mail server (dovecot and postfix) on the same server (ubuntu server 16.04 with nginx). In the process I also created two email addresses for that domain, that I was hoping to use through the mail client Mail. However, I get the error “unable to verify account name or password”, and on http://www.checktls.com/perl/TestReceiver.pl I get the following error:

strong text[001.075] Cert NOT VALIDATED: unable to get local issuer certificate
[001.075] this may help: What Is An Intermediate Certificate
[001.075] So email is encrypted but the domain is not verified
[001.075] ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075] Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076] So email is encrypted but the host is not verified

As far as I can tell, the problem is with the implementation of the certificate. What steps can I take to solve this issue?

Osiris · October 31, 2016, 3:43pm

Use fullchain.pem in stead of cert.pem.

yumihiime · October 31, 2016, 3:44pm

Okay, will try. Sorry if it’s a stupid question, but do you mean in configuration file for dovecot or nginx or?

mnordhoff · October 31, 2016, 3:58pm

Both of them, actually.

yumihiime · October 31, 2016, 4:23pm

Hmm, odd. Because now I have:

on /etc/postfix/main.cf:

smtpd_tls_cert_file=/etc/letsencrypt/live/mysite.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mysite.com/privkey.pem

on /etc/dovecot/conf.d/10-ssl.conf:

ssl_cert = </etc/letsencrypt/live/mysite.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mysite.com/privkey.pem

and on /etc/nginx/sites-available/default:

ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;

still same error tho...

mnordhoff · October 31, 2016, 4:26pm

Hard to say what’s wrong without more information. I’m not personally a Dovecot or Postfix expert, but i assume that configuration is correct.

Perhaps the configuration was broken before and the daemon hasn’t been reloaded/restarted since you fixed it?

What’s the real hostname in question?

It’s possible that test tool just doesn’t recognize Let’s Encrypt.

serverco · October 31, 2016, 4:27pm

I’ll ask the silly but obvious question … have you restarted postfix, dovecot and nginx ? to pick up the config changes.

LwsBtlr · November 9, 2016, 10:49am

I am getting the same error when I do

openssl s_client -connect mail.covisp.net:993

and I have the full chain.pem set as the cert in dovecot.conf and the privacy.pem set as the key.

I have restarted dovecot since making the change, but I get

#  openssl s_client -connect mail.covisp.net:993
CONNECTED(00000003)
 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 verify error:num=20:unable to get local issuer certificate
 verify return:0
---
 Certificate chain
  0 s:/CN=covisp.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
 Server certificate
-----BEGIN CERTIFICATE-----

mnordhoff · November 9, 2016, 10:54am

I think your server is actually correct. Either you’ve fixed it since posting, or openssl s_client is having trouble finding the correct CA certificate. (You’d think every OS would make sure that works by default, but you would be wrong.)

$ openssl s_client -connect mail.covisp.net:993
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = covisp.net
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=covisp.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

“What’s My Chain Cert?” also says it’s okay:

https://whatsmychaincert.com/?mail.covisp.net:993

LwsBtlr · November 9, 2016, 11:05am

That’s very odd, that is not what I get running openssl locally (that is, from mail.covisp.net’s command-line or from other local machines, nor from my laptop connected to my home connection. I have php56-openssl-5.6.27 installed, which is the newest version out of perts.

serverco · November 9, 2016, 11:23am

I get the same as @mnordhoff

$ openssl version
OpenSSL 1.0.2g  1 Mar 2016

$ openssl s_client -connect mail.covisp.net:993
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = covisp.net
verify return:1
---
Certificate chain
 0 s:/CN=covisp.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

LwsBtlr · November 9, 2016, 6:28pm

It seems despite having the newest php-openssl, the underlying openssl version is old.
OpenSSL 1.0.1p-freebsd 9 Jul 2015

I’ll try to figure out how to update that.

Ah. So I have openssl (v1.0.2) installed /usr/local/bin/openssl , but there was an old version at /usr/bin/. moved it aside and now I get the same results. Will need to update everything. Thanks for the pointers, and least I’m one step closer.

system · December 9, 2016, 6:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.