Topic: SSl on https withaout chain
==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: centos7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldpa
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? n
when I put in mozilla:
https://mail.myorg.pl/mail
i receive:
Issuer not konown
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false Chain:
-----BEGIN CERTIFICATE-----
XXXX many letters
-----END CERTIFICATE-----
apparently mozilla dosent see chain, I see only one section BEGIN/END in this mozilla message
in linux:
I combined 2 files: my cert and chain in one file, looks like this
[root@mail certs]# cat /etc/pki/tls/certs/iRedMail.crt
-----BEGIN CERTIFICATE-----
my ceret
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
chain 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
chain 2
-----END CERTIFICATE-----
[root@mail certs]#
In /etc/httpd/conf.d/ssl.conf the paths to private key and combined crt:
SSLCertificateFile /etc/pki/tls/certs/iRedMail.crt
SSLCertificateKeyFile /etc/pki/tls/private/iRedMail.key
From linux:
[root@mail certs]# openssl s_client -quiet -connect mail.myorg.pl:443 -showcerts
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.myorg.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.myorg.pl
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.myorg.pl
verify error:num=21:unable to verify the first certificate
verify return:1
without quiet:
(here is only one section BEGIN/END)
[root@mail certs]# openssl s_client -connect mail.myorg.pl:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.myorg.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.myorg.pl
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.myorg.pl
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Provided by DOMENY.PL sp. z o.o./OU=Domeny.pl SuperFAST SSL/CN=mail.myorg.pl
i:/C=PL/ST=Ma\xC5\x82opolskie/L=Krak\xC3\xB3w/O=DOMENY.PL sp. z o.o/CN=DOMENY SSL DV Certification Authority
-----BEGIN CERTIFICATE-----
MIIF
XXXXXX
0ZuH9pDV
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Provided by DOMENY.PL sp. z o.o./OU=Domeny.pl SuperFAST SSL/CN=mail.myorg.pl
issuer=/C=PL/ST=Ma\xC5\x82opolskie/L=Krak\xC3\xB3w/O=DOMENY.PL sp. z o.o/CN=DOMENY SSL DV Certification Authority
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2089 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 546DCDAC43C269E134BD907A714E6F431C89803534EAF1C8D869AFACF6820AB4
Session-ID-ctx:
Master-Key: EAE5B697619809131BD2C6C1DC08242524D51EEDC60F96227757FECDB701680EC7BFDF7255D334A8368871EF4F9B3D35
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 7e bc 8d 30 d3 31 4d 68-16 45 9f a1 d9 39 2a a8 ~..0.1Mh.E...9*.
0010 - 4e 9d 98 36 15 cb ec aa-30 c3 71 16 52 e6 81 30 N..6....0.q.R..0
0020 - 3e 75 83 e6 6b c7 03 38-52 2d e9 37 db dc bb 2b >u..k..8R-.7...+
0030 - 08 d3 5a 81 b4 d2 28 c6-24 16 00 ba b4 5d 19 d9 ..Z...(.$....]..
0040 - a8 1c f8 66 fa 3a 49 5d-a5 ac 65 86 c9 f5 71 67 ...f.:I]..e...qg
0050 - 5d a6 12 58 db b5 86 b7-aa c6 72 26 d4 80 ee f2 ]..X......r&....
0060 - 17 5f fc a7 fe 0c 43 9e-42 08 69 7c 7b 73 88 2b ._....C.B.i|{s.+
0070 - df f2 d5 17 83 e8 2e b8-60 a4 44 9e 82 7a 2f 24 ........`.D..z/$
0080 - ee 59 a4 49 c1 3a a5 85-94 34 85 d0 6b 21 37 d0 .Y.I.:...4..k!7.
0090 - 0e c9 c7 40 1c 20 8d c6-04 e1 69 ef 57 7d 46 f6 ...@. ....i.W}F.
00a0 - f1 7a 5d c0 02 4c 2e ed-db 42 4f 27 1d f6 fc f6 .z]..L...BO'....
00b0 - 40 2c 66 95 84 57 73 8e-0e 76 f1 9a 49 3b 57 23 @,f..Ws..v..I;W#
Start Time: 1509713163
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
read:errno=0
I have no idea what is wrong. Many times I copied key, chain and cert from issuer. Issuer says that those files are ok. Key/Cert verified - are ok.
Apache doesn't serve the chain, I suppose.
I combined iRedMail.crt in two ways, with cat command and in Windows, both looks ok in cat, vi command.
I consider to buy a new cert, no idea...
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.
