Hello, I followed the guide https://www.howtoforge.com/securing...h-a-free-class1-ssl-certificate-from-startssl I got the Certificate for them primary domain. Https on the domain works, https://domain.com:8080. I do not get an alert for un-trusted site any longer. PureFTP also seems to be working. It does prompt me on the connection to verify it is a safe connection, but the information listed for the cert appears to be correct. Email does not work. I cannot connect via email clients. I have only tested Thunderbird. Webmail no longer works either. It works in the sense that I can reach the site. Logins do not work however. I will list the error below. Perhaps this is just a permissions issue or something I'm not sure. I have looked around a bit and cannot find anything like this exactly since the certs appear to work with the other services. I have seen a few errors for postfix TLS, but a ton for dovecot. I should be able to revert easily enough if need be, but it would be nice to get this working with the mail. Any help would be appreciated and if I missed seeing something about this readily available, apologies in advance. Here is some info and a link to a paste of a chunk of mail log from the ISPConfig interface http://pastebin.com/FsAFBrDT Here is the relevant section from /etc/dovecot/dovecot.conf Code: dovecot --version 1.2.15 ssl_cert_file = /etc/postfix/smtpd.cert ssl_key_file = /etc/postfix/smtpd.key ## must be re-added after an ISPConfig update!!! ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt Here is the relevant section of the /etc/postfix/main.cf and master.cf I have tried changing this to /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt as suggested in a comment for the guide, but it didn't seem to change anything. Code: main.cf smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt master.cf smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING Code: ls -la /etc/postfix/ total 152 drwxr-xr-x 3 root root 4096 Feb 15 16:53 . drwxr-xr-x 101 root root 4096 Feb 13 20:46 .. -rw-r--r-- 1 root root 0 Jan 22 20:42 body_checks -rw-r--r-- 1 root root 373 Jan 22 20:27 dynamicmaps.cf -rw-r--r-- 1 root root 0 Jan 22 20:42 header_checks -rw-r--r-- 1 root root 3725 Feb 15 17:19 main.cf -rw-r--r-- 1 root root 3638 Jan 23 15:23 main.cf~ -rw-r--r-- 1 root root 3526 Jan 22 20:42 main.cf~2 -rw-r--r-- 1 root root 3430 Jan 22 20:42 main.cf~3 -rw-r--r-- 1 root root 6111 Feb 5 22:48 master.cf -r-------- 1 root root 5504 Jan 22 20:42 master.cf~ -rw-r--r-- 1 root root 0 Jan 22 20:42 mime_header_checks -rw-r----- 1 root postfix 231 Jan 22 20:42 mysql-virtual_client.cf -rw-r----- 1 root postfix 221 Jan 22 20:42 mysql-virtual_domains.cf -rw-r----- 1 root postfix 218 Jan 22 20:42 mysql-virtual_email2email.cf -rw-r----- 1 root postfix 317 Jan 22 20:42 mysql-virtual_forwardings.cf -rw-r----- 1 root postfix 288 Jan 22 20:42 mysql-virtual_mailboxes.cf -rw-r----- 1 root postfix 252 Jan 22 20:42 mysql-virtual_recipient.cf -rw-r----- 1 root postfix 224 Jan 22 20:42 mysql-virtual_relaydomains.cf -rw-r----- 1 root postfix 230 Jan 22 20:42 mysql-virtual_relayrecipientmaps.cf -rw-r----- 1 root postfix 249 Jan 22 20:42 mysql-virtual_sender.cf -rw-r----- 1 root postfix 227 Jan 22 20:42 mysql-virtual_transports.cf -rw-r--r-- 1 root root 0 Jan 22 20:42 nested_header_checks -rw-r--r-- 1 root root 18992 May 4 2011 postfix-files -rwxr-xr-x 1 root root 8729 May 4 2011 postfix-script -rwxr-xr-x 1 root root 24256 May 4 2011 post-install drwxr-xr-x 2 root root 4096 May 4 2011 sasl lrwxrwxrwx 1 root root 48 Feb 13 12:02 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt -rw-r--r-- 1 root root 2394 Jan 22 20:42 smtpd.cert_bak lrwxrwxrwx 1 root root 48 Feb 13 12:03 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key -rw-r----- 1 root root 3243 Jan 22 20:42 smtpd.key_bak Code: ls -la /usr/local/ispconfig/interface/ssl total 56 drwxr-s--- 2 root root 4096 Feb 13 11:57 . drwxr-s--- 8 ispconfig ispconfig 4096 Jan 22 20:44 .. -rwxr-x--- 1 root root 45 Jan 22 20:44 empty.dir -rw-r--r-- 1 root root 2145 Feb 13 11:54 ispserver.crt -rwxr-x--- 1 root root 2394 Jan 22 20:44 ispserver.crt_bak -rwxr-x--- 1 root root 1838 Jan 22 20:44 ispserver.csr -rwxr-x--- 1 root root 3243 Jan 22 20:44 ispserver.key -rwxr-x--- 1 root root 3311 Jan 22 20:43 ispserver.key.secure -rw------- 1 root root 8193 Feb 13 11:57 ispserver.pem -rw-r--r-- 1 root root 2760 Dec 1 21:26 startssl.ca.crt -rw-r--r-- 1 root root 2805 Feb 13 11:56 startssl.chain.class1.server.crt -rw-r--r-- 1 root root 45 Dec 1 21:26 startssl.sub.class1.server.ca.crt When I try to login to webmail at domain.com/webmail I get this error after a while. "ERROR: Connection dropped by IMAP server."
The CA file /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt is missing. Please create that file and add the startssl ssl bundle / chain certificate in this file. Then restart dovecot.
The file is in that direto The file is in that directory. It is in the last code snippet on my post. I'll link the contents minus the important bits. Note everything in the code snippet is in the file /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt Code: class1/sha2/pem/sub.class1.server.sha2.ca.pem-----BEGIN CERTIFICATE----- MIIHyTCCBbGgAwIXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX............. .........................................XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXqmMGqz9Ig cgA38corog14= -----END CERTIFICATE----- ry
The error in your log clearly states that there is a problem with that file /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt The content of the file does not look right, seems as if you copied a path "class1/sha2/pem/sub.class1.server.sha2.ca.pem" into that file. Remove everything before "-----BEGIN CERTIFICATE-----" and restart dovecot.
The syntax differs between Dovecot 1 (your version) and Dovecot 2. With 1 it`s: ssl = yes ssl_cert = < CERT ssl_key = < KEY
I removed the errant line at the beginning of starssl.chain.class1.server.crt and no more errors from dovecot. I am able to connect again via clients and webmail. I knew it was going to probably be something simple. I just don't have much experience with ssl certs so I wasn't totally sure what it should look like in there. I'm not sure how that line got there I'm going to dig through the bash history and see what I did that could have put that in there. I'm certain I followed the guide pretty closely.
I looked through the history and I followed the guide exactly. There are only a few commands that reference that file one of which being Code: cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt and Code: cat ispserver.{key,crt} startssl.chain.class1.server.crt > ispserver.pem