I get that server.crt as it is every 3 months automatically from le32.exe- manually deleted the root cert out of the 3 in 1 server crt but didn't change anything?
If you have LE32 v0.38, try using this parameter:
-alternative <num> : Save an alternative ceritifcate (if available).
[which may help to create the shorter chain for you automatically]
Cool do you have a link to an overview of all available LE32 parameters? Couldn't find this doku yet
But changing that one manually didn't have any effect anyway
This is all I have:
Releases · do-know/Crypt-LE · GitHub
Note: LE32/64 are provided (compiled and maintained) by a third party (not by LE).
Which <num>
did you try?
I manually tried removing the last (cross-signed root) cert from the file with those three certs.
Then I would suggest trying another CA.
Maybe that trust path will work better with your use case.
Hmm
There is only 1 active intermediate cert: Vertrauenskette - Let's Encrypt - Freie SSL/TLS Zertifikate
Regards
Yes.
Technically R4 can also be used as intermediate; But it is just there in case something goes terribly wrong with R3.
Maybe I misunderstand the problem but the certificate returned by mail.schagerer.com does not look right:
openssl s_client -connect mail.schagerer.com:465
CONNECTED(00000003)
depth=0 CN = webforum.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = webforum.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=webforum.eu
i:/C=US/O=Let's Encrypt/CN=R3
---
That is just the leaf certificate. Your mail server is not sending the same chain as your http server which sends this:
openssl s_client -connect support.webboard.org:443 -servername support.webboard.org
Certificate chain
0 s:/CN=webforum.eu
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
Notice your mail server sends just one cert, this server sends two ending in ISRG Root X1
(the new "short chain").
I get that server.crt as it is every 3 months automatically from le32.exe- there are 3 certis inside (leaf, inter, root), apache and hmailserver both use the same server.crt. Apache additionally has the intermediate cert configured in htaccess. So from the 3-in-1 server crt seems to be only the leaf cert considered both by hmailserver and apache (since the httpserver seems to not send the root cert)?
I extracted all 3 certs of the server crt file into separate files and when I open the crt file attrubutes they and see their properties are the 3 of the new chain.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.