[Dovecot] ssl cert for mail server
for testing a new ssl cert. it works ok for browsers, but
openssl s_client -crlf -connect ms1.trailsandtribulations.net:443
=> verify error:num=19:self signed certificate in certificate chain
is this ssl cert - as it's constructed - is ok for mail clients? (realize needs to be on mail port etc - right now talking about the cert itself.) have had problems with thunderbird, and was wondering if this might be part of the problem.
Am 19.09.2012 10:00, schrieb cc "maco" young:
for testing a new ssl cert. it works ok for browsers, but
openssl s_client -crlf -connect ms1.trailsandtribulations.net:443
=> verify error:num=19:self signed certificate in certificate chain
is this ssl cert - as it's constructed - is ok for mail clients? (realize needs to be on mail port etc - right now talking about the cert itself.) have had problems with thunderbird, and was wondering if this might be part of the problem.
Hi,
first of all this is likely off topic for this ML, I'll still answer though, since I'm always intrigued by TLS problems.
The reason openssl doesn't accept this cert, while your browser does, is quite likely that your system wide accepted CAs don't include Starfield Technologies, while your browser's CAs do (This is the case for Firefox and Thunderbird).
However, I suspect that your mail addresses are of the form user@trailsandtribulations.net, and ms1.trailsandtribulations.net is what is in your MX record. As such the certificate needs to be valid for trailsandtribulations.net, and not ms1.trailsandtribulations.net. So you either need trailsandtribulations.net as your CN, or a SAN of type DNSName for trailsandtribulations.net. Cf. https://tools.ietf.org/html/rfc6125 for best practices on generating certificates.
Regards, Florian
participants (2)
-
cc "maco" young
-
Florian Zeitz