postfix ispconfig rapidssl Root CA not found

Discussion in 'ISPConfig 3 Priority Support' started by sumawelt, Nov 18, 2014.

  1. sumawelt

    sumawelt New Member

    Hi everyone,
    I setup ISPConfig according to the tutorial at http://www.howtoforge.com/perfect-s...sl-pureftpd-bind-postfix-doveot-and-ispconfig and secured it according to http://www.howtoforge.com/securing-...h-a-free-class1-ssl-certificate-from-startssl which went fine. Last week the certificate expired and we switched to Rapid SSL an I don't seem to get it running properly. I installed the certificates and encryption works but it seems, the intermediate certificate doesn't work properly because my mail clients complain about missing Root CA.

    According to the tutorial I linked the ispserver.crt and ispserver.key in /etc/postfix:
    smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    and this seems to work but I think I did something wrong with the file that is referred in main.cf as smtpd_tls_CAfile.
    I tried to use the Rapid SSL inermediate certificate with no luck
    Can anyone pls help me to get this straight?
    Best Regards
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    What you described above is all that needs to be done to get a "official" ssl cert in postfix.

    Maybe you added a wrong CA cert in the ca file or you have to add multiple chain certidficates for rapidssl in the ca file.
     
  3. sumawelt

    sumawelt New Member

    Thank you for the hint.
    replacing the RSA SHA-1 SSL Certificates with the RSA SHA-2 SSL Certificates removed the problem with the missing Root CA but now I get:
    4.7.0 TLS not available due to local problem.

    my mail.err shows:
    Nov 18 15:48:12 rohrpostix dovecot: imap-login: Error: read(anvil) failed: EOF
    Nov 18 15:48:12 rohrpostix dovecot: auth: Error: read(anvil-auth-penalty) failed: EOF

    and my email client (The Bat) returns:
    4.7.0 TLS not available due to local problem

    This seems especially strange because apache works fine with exactly these certificate files (and passes all tests using the Rapid SSL certificate checking tool)
     
    Last edited: Nov 18, 2014
  4. sumawelt

    sumawelt New Member

    OK I figured it out now. The RSA SHA-2 SSL Certificates are not the right ones so I reverted back to the RSA SHA-1 Certificates.
    I re-read howto from Rapid SSL and there I found a link to GlobalTrust where customers can manage their certificates: https://products.geotrust.com/orders/orderinformation/authentication.do
    After logging in all the way down below "Additional Certificates" there is a link titled "Certificate Issuer".
    You must click it, copy the the certificates' content on top into the intermediate certificate from RapidSSL, restart your services and your'e done.
    Hope this helps anyone who has problems with Rapid SSL and Postfix / dovecot
     
    arkehost likes this.

Share This Page