LetEncrypt How to set rainloop webmail by SSL/TLS?

I register LetEncrypt ca from https://gethttpsforfree.com/ , create the email server ( postfix + dovecot + rainloop webmail ) but i use ssl imap
rainloop show error :

stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

mailog error is:

Disconnected (no auth attempts in 0 secs): user=<>, rip=xx.xx, lip=xx.xx, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48

but i use unibox app or Mac os email client not error

and I help rainloopissues#932
Rainloop say :

RainLoop uses standard php functionality to work with ssl connections. So, you should setup ssl (let's encrypt ssl ca) somewhere in php.ini, I think.

the postfix setting is :

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = domain.com
myhostname = mail.domain.com
mynetworks =,
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name unkown
smtpd_client_restrictions = reject_rbl_client, permit
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_rhsbl_sender, permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender, permit
smtpd_tls_cert_file = /etc/ssl/certs/chained.pem
smtpd_tls_key_file = /etc/ssl/private/domain.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = lxh.tech
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox
virtual_minimum_uid = 1001
virtual_uid_maps = static:5000

dovecot setting is :

auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
mailbox Junk {
special_use = \Junk
mailbox Sent {
special_use = \Sent
mailbox "Sent Messages" {
special_use = \Sent
mailbox Trash {
special_use = \Trash
prefix =
passdb {
driver = pam
passdb {
args = /etc/dovecot/virtual_passwd
driver = passwd-file
passdb {
driver = pam
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0666
user = postfix
ssl = required
ssl_cert = </etc/ssl/certs/chained.pem
ssl_key = </etc/ssl/private/domain.key
userdb {
driver = passwd
userdb {
args = uid=vmail gid=vmail home=/home/vmail/%d/%n
driver = static
userdb {
driver = passwd

is setting php openssl support LetEncrypt ca?

I’d suspect that you haven’t got the correct chain files in your SSL setup.

are you happy to provide the domain name ?

The certificate chain for Postfix is correct:

Certificate chain
 0 s:/CN=isth.xyz
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Assuming the IP address from $mynetworks is the correct one.

The same for Dovecot on port 993 (IMAPS) and 143 (IMAP + STARTTLS).

from [MiTM] Certificates are not validated? · Issue #332 · RainLoop/rainloop-webmail · GitHub you probably need to set up the locations of the CA file to be trusted by specifying them in application.ini

; Location of Certificate Authority file on local filesystem (/etc/ssl/certs/ca-certificates.crt)
cafile = ""
; capath must be a correctly hashed certificate directory. (/etc/ssl/certs/)
capath = ""

I don't use rainloop, so can't test for certain for you.

Here too. Tried to install it, but for some reason, using the same password for the admin as set in the application.ini didn't work :angry: So I concluded Rainloop s*cks *ss and I deleted it.. :stuck_out_tongue:

1 Like

I register domain is isth.xyz, www.isth.xyz ,mail.isth.xyz and imap & smtp use\ mail.isth.xyz , I disabled rainloop application.ini verify_certificate = Off not error and success use tls
maillog is :

imap-login: Login: user=< edward >, method=PLAIN, rip=, lip=, mpid=18063, TLS, session=<8ApxVNspLQCjLJVu>

and set verify_certificate = on
maillog is:

imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=, lip=, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=< Wr0jX9spQwCjLJVu>

I don't know is rainloop not support this ca or i register ca error :worried:

According to php.ini, PHP should be able to auto-detect the capath:

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.

But I checked my own PHP 5.6 with phpinfo() and search for capath: it said “no value”. You could check your phpinfo() and if it also says “no value”, you could try to set it, just like @serverco said above. It probably depends on your Linux distribution what the value should be… On my Gentoo it’s /etc/ssl/certs/.

Thx To Help , verify ca is ok,Before I use php5.4 and I change to 5.6 version update openssl extension is running success

1 Like