On Fri, 2013-09-13 at 10:18 -0400, Dan Langille wrote:
Perhaps I am doing the chain incorrectly. I just tried again. The server is now set up with the following:
I have three certs in this chain file:
cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem > testing.chain.pem
1 - the certificate issued by startssl for my server 2 & 3 - the PEM files for StartSSL as found at http://www.startssl.com/certs/
That is the correct chain method, and order
$ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain
Never panic about the above, it is just indicating (rightly so) you have a local certificate (the first) in your chain.
ssl_cert = </usr/local/etc/ssl/imaps.unixathome.org.crt ssl_key = </usr/local/etc/ssl/imaps.unixathome.org.nopassword.key
correct method, so long as the cert and key files are named correctly and in the right location.
ssl = required
Bit dangerous... and may be the cause of your problems, change to : ssl = yes
We use startssl and have many android, blackberry, and iphone users (maybe even win phone Lusers too ;) who knows) amongst desktop/laptop types and never had any problems with them using startssl