No path found from the leaf certificate to any root gmail pop3

Smalltalkman · August 20, 2021, 1:49pm

I am trying to setup gmail to poll for email from my iRedMail server.

As I have done many times in the past, 'Add a mail account' in gmail.

port 995, always use secure

I get:

There was a problem connecting to mail.myallysrv.us Server returned error: "SSL error: No path found from the leaf certificate to any root. Maybe an intermediate certificate is missing?"
.
Now sslchecker reports all four levels are present for both mail.myallysrv.us and myalysrv.us.

I still get the same error. This is a new server. I have never gotten pop3 connection to work.

My domain is: myally.us

I ran this command: certbot certonly --nginx

It produced this output: cert files seem fine

My web server is (include version): nginx 1.14.2

The operating system my web server runs on is (include version): debian 10

My hosting provider, if applicable, is: linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.18.0

jvanasco · August 20, 2021, 3:10pm

You need to configure your pop server to use the full SSL Certificate chain.

It appears you are using Dovecot and only configured the RapidSSL certificate you purchased, not the full chain.

. See Dovecot SSL configuration — Dovecot documentation

openssl s_client -showcerts -connect  mail.myallysrv.us:995 -servername  mail.myallysrv.us
CONNECTED(00000003)
depth=0 CN = myallysrv.us
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = myallysrv.us
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=myallysrv.us
   i:/C=US/O=DigiCert Inc/CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
-----BEGIN CERTIFICATE-----
MIIGjjCCBXagAwIBAgIQAQW34ZGVDNOeCT6gNgTAtzANBgkqhkiG9w0BAQsFADBZ
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTMwMQYDVQQDEypS
YXBpZFNTTCBUTFMgRFYgUlNBIE1peGVkIFNIQTI1NiAyMDIwIENBLTEwHhcNMjEw
ODE3MDAwMDAwWhcNMjEwOTE1MjM1OTU5WjAXMRUwEwYDVQQDEwxteWFsbHlzcnYu
dXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTbCfWTNKDJIYLSi4Y
8OAD2AxuGJPmdOfo5cwyZ4j6nMyQ/jokN+r6iJGRv9A/wlFw75Vp8DH4QroMoKX4
vzt/NfZNA6336MdZiJZfZuW3itlnvZAMNtnuTQd0cepoT+zVld/Nm9JZNdMYtC1A
Rrjl5jf79wK5VKrMp//z+cx4pa+HfoBNGM42iAkr5ryxry2vaPzO+wDQg8Nnn8bQ
ErwWnBQGXEbSShxEl3E+v2klIhgHHV/HUT5mBXLxzCvLeniH1g1GshsBZXBOAb1D
s5domRzfXRsNcGvSDMKr+Ev7wBEu9W9IjHPOE1s8SzKyxY4CipTJBCPCnDPlOb90
0mAhAgMBAAGjggOSMIIDjjAfBgNVHSMEGDAWgBSkjeW+fHnkcCNtLik0rSNY3PUx
fzAdBgNVHQ4EFgQU8Eenjo2jgXnzPe/Yce56GPyCQBkwKQYDVR0RBCIwIIIMbXlh
bGx5c3J2LnVzghB3d3cubXlhbGx5c3J2LnVzMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZsGA1UdHwSBkzCBkDBGoESgQoZA
aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1JhcGlkU1NMVExTRFZSU0FNaXhlZFNI
QTI1NjIwMjBDQS0xLmNybDBGoESgQoZAaHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L1JhcGlkU1NMVExTRFZSU0FNaXhlZFNIQTI1NjIwMjBDQS0xLmNybDA+BgNVHSAE
NzA1MDMGBmeBDAECATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0
LmNvbS9DUFMwgYUGCCsGAQUFBwEBBHkwdzAkBggrBgEFBQcwAYYYaHR0cDovL29j
c3AuZGlnaWNlcnQuY29tME8GCCsGAQUFBzAChkNodHRwOi8vY2FjZXJ0cy5kaWdp
Y2VydC5jb20vUmFwaWRTU0xUTFNEVlJTQU1peGVkU0hBMjU2MjAyMENBLTEuY3J0
MAkGA1UdEwQCMAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2APZclC/RdzAi
FFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABe1UfrPsAAAQDAEcwRQIgPfZwybLi
4Q28pM8DWrrZNmQKAzN0vb0nWKQ3Bl4V3fsCIQDV1wvXR31uzASFZB1GuVmXmClg
0+PkZlH6zirkQWVCfgB3AFzcQ5L+5qtFRLFemtRW5hA3+9X6R9yhc5SyXub2xw7K
AAABe1UfrRUAAAQDAEgwRgIhAJlPbwXYsvEibsOG4lMoeF59S7P7+20vG0+u0Wzv
5mKMAiEAhRNldQXpBcIVpUMaGZj69bplShLP24kujFpMrxuSD0MAdgDuwJXujXJk
D5Ljw7kbxxKjaWoJe0tqGhQ45keyy+3F+QAAAXtVH61GAAAEAwBHMEUCIDTxmBw0
7SqnQWdfzt/erc3KSGoLpMgibPwZSn3a/vxuAiEAuN6onSqzzRV9r/3yFmxNS9qF
WivcE41bZB97zpT8+I4wDQYJKoZIhvcNAQELBQADggEBAKF9Qk057tli/L8nGIv4
JdBMMWj9LS706f3YfacWtYOyuFVcKa6e5+6I1equFrD567JCB5V8xYjcr2OXhgnK
FR/71D8YNy7H7rtO8SvJKP2W0H0Bbzb838y8qRLtz3joF6T3HiDrTL/fuO1kaqGi
OoxrVzEmwwx6e23dYvgyW/X87kJHN5YVxHVh9l4gskN+0fNcZFRVtDixxx3vCJ+g
8UHXSjq+lnNKgDj0Up4AKVF21vVaLFQf2DLlmtuUB5dquoQTUinratNShl8lZ2vd
iONjwH+844qHwRZc/3oWvgAmS/e3cKSpV6sQCfwiYBbObw2vHxP49+tMYnXu6ZQf
3cI=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=myallysrv.us
issuer=/C=US/O=DigiCert Inc/CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2356 bytes and written 459 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: {REDACTED}
    Session-ID-ctx: 
    Master-Key: {REDACTED}
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket: {REDACTED}
    Start Time: 1629471906
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK Dovecot (Debian) ready.
-ERR Disconnected for inactivity.
closed

jens_hb · August 20, 2021, 3:25pm

dovecot example from me:
ssl_key = </etc/letsencrypt/live/example.com/privkey,pem
ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem

I noticed that cet is for myallysrv.us , www.myallysrv.us.
not for mail.myallysrv.us

Osiris · August 20, 2021, 4:54pm

According to the certificage logs (crt.sh | myallysrv.us) you have issued a Let's Encrypt certificate for myallysrv.us and mail.myallysrv.us recently.

What's the output of certbot certificates ?

Smalltalkman · August 20, 2021, 6:25pm

Per dovecot docs I changed both(/etc/dovecot/ /usr/share/dovecot/) conf.d/10-ssl.conf files to point to the certs that work so well in nginx and rebooted. LetsEncrypt is picked up but only the first cert is recognized. I verified that the ssl_cert file has four certs.
ssl_cert = </opt/iredmail/ssl/combined.pem
ssl_key = </opt/iredmail/ssl/key.pem

I am using the canned iRedMailEasy setup. There is a cert.pem for for nginx.

jvanasco · August 20, 2021, 6:34pm

The two most likely scenarios:

You have an older version of dovecot that does not support this properly.
There is some element of human error on your part.

Try searching this forum for "dovecot". There are a handful of problems that were solved in the past. One of those situations might mirror your current setup and be applicable.

Sorry to not be of more help, but this is all that I can think of with the information provided.

Osiris · August 20, 2021, 6:39pm

What's that?

Smalltalkman · August 20, 2021, 7:03pm

A service which accessed my server and setup Maria, Dovecot ... for me.

I updated /run/dovecot/dovecot.conf to point to the full cert and it is working well.

jens_hb · August 21, 2021, 12:12am

As I understood it on the iredmail homepage, iredmail is the graphical interface and uses other standard programs such as dovecot, postfix etc.
I think the iredmail support forum might be of further help.

system · September 20, 2021, 12:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.