Whats the "ca" file / Does LetsEncrypt even create one?



I’m trying to setup a mail server and I want to use my lets encrypt certificate for it.
Dovecat require a “ca” file in their configuration, but what is “ca” for? Does LetsEncrypt create one?


Hi @m8Flo, this probably refers to the intermediate certificate from the certificate authority that issued the certificate.

If you’re using Certbot (formerly letsencrypt), this file will be saved as chain.pem in the /etc/letsencrypt/live/example.com directory corresponding to your domain.

(The certificate chain consisting of one or more intermediate certificates is necessary in order to prove to (some) clients that the issuer of the certificate is itself trusted as a certificate authority, since in modern practice the issuer is never a root CA.)


Why do you require a “ca” file? Are you planning certificate based client authentication?

If yes: Let’s Encrypt doesn’t issue client certificates, so that’s no option anyway.
If no: you only need ssl_cert (=“fullchain.pem”) and ssl_key (=“privkey.pem”) for regular TLS encryption in Dovecot.


The CA file is only used for client certificate authentication. It’s when users authenticate with a certificate instead of a username and password. You probably aren’t using that.

According to the Dovecot documentation, you should use the “fullchain.pem” for the ssl_cert directive.


Sorry, I seem to have misinterpreted what this is for and so my answer above is probably not relevant in this case.


Some more informations:
After installing dovecot and postfix I tried the server using openssl s_client -starttls smtp -crlf -connect domain.tld:587

Response was "No client certificate CA names sent"
At the end it showed “Verify return code: 21 (unable to verify the first certificate)”

Edit: Problem was fixed after using fullchain as cert file. Thanks to @motoko & @Osiris


As an addition to an already fixed problem: this item in the response of s_client is normal :wink: Unless you’re really trying to do certificate client authentication. Which by the way is pretty cool, I have my own “CA” (with just a few OpenSSL commands) with my own root and my own intermediate and leaf/user certificates. Not useful for regular TLS, but for secured stuff very neat.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.