Mail SSL Certificates


#1

My domain is: mail.quickbrownfoxes.org

I exported an SSL certificate I generated from my site into my mail server, However I got this error.

This site attempts to identify itself with invalid information.
Certificate is not trusted, because it hasn’t been verified by a recognized authority using a secure signature.

ScreenShot

I’m not sure where I went wrong here.
Thanks for any help!


#2

Usually this type of error suggests that your mail server is not presenting the Intermediate CA certificates. These are certificates which prove that the entity which signed your certificate (Let’s Encrypt Authority X3) was in turn trusted by another entity and so on back until it reaches a “root trusted” CA certificate. Some clients can guess or cache the right ones, but not all, so you should ensure your mail server software knows to present them.

If you think your mail server is already presenting the Intermediates, try opening that Details tab in the Certificate Viewer window you showed, and screenshot that so we can see it.

Depending on how you got certificates issued (e.g. using certbot?) the extra data you need may be in a file named chain.pem next to the cert.pem you already copied across. But we can’t tell you how to configure your mail server without a lot more details, try reading the documentation for mention of how to configure “Intermediate CA certificates” or a “certificate chain”. If it says you can just run all the certificates, including yours together in a single file, certbot already provides that as fullchain.pem


#3

Yep you’re right. I clicked on the details tab. No intermediate certificates are shown.
No intermediate certs

I used the ACMESharp libraries to get them issued.
I’m not sure exactly the chain of certs and where I can find them.
For my mailserver (hMailserver) I’m supposed to chain the certificates like so:

-----BEGIN CERTIFICATE-----
content from your_domain_com.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content from COMODORSADomainValidationSecureServerCA.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content from COMODORSAAddTrustCA.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
content from AddTrustExternalCARoot.crt
-----END CERTIFICATE-----


#4

@vincentchu37, it would be good to figure out how ACMESharp intends for this to work so that you don’t have to find an ad-hoc solution.

However, the intermediate certificate that you need at the moment is probably going to be the cross-signed X3 intermediate available at the top of

https://letsencrypt.org/certificates/


#5

The ACMESharp wiki section “Export Issuer Certificate” (right down the bottom of the Quick Start guide as I write this) seems to be how you’d properly get the appropriate Intermediates to go with any particular certificate you obtained via ACMESharp.

It’s probably a good investment of time to learn how this works if you intend to keep using ACMESharp, but hopefully I’ve pointed you in the right direction. @schoen’s instructions will work fine for now, this is just to help you learn for the future.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.