> What is the best way to get rid of this message? I think clients start generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is
from
clients telling you they don't like your certificate.
openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
Even if I check on the host directly [@ certs]# openssl verify xxxxx.crt /xxxx.crt: OK Well, can't really say much since you're not really providing any
coming details.
I don't seem to get any more details with verbose_ssl=yes. How can I see what cert/ssl-config this could be? I have still some old configs, maybe some clients use that.
Why not just look at your ssl_cert parameter in 10-ssl.conf and then inspect the file it points to. Does it have a single certificate or more than one?
I already did. Always annoying having everything in one file, and checking what you need to change. Better is to have the chain separate so you only have to update the crt file. Like eg in apache httpd.
Are you expecting to need a chain/intermediate certificate?
I am expecting nothing :) I am just removing config issues that produce error logs. Last few years clients are more picky about correct chains. As long as letsencrypt is doing most encryption, what is the point of doing encryption at all.