Secure ISPConfig3 With A Free Certificate From StartSSL - issues

Discussion in 'HOWTO-Related Questions' started by Ovidiu, Dec 8, 2015.

  1. Ovidiu

    Ovidiu Active Member

    Talking about this howto: https://www.howtoforge.com/securing...-free-class1-ssl-certificate-from-startssl-p2

    All seems fine but there seems to be an issue when connecting with an email client it looks like this (pay attention to this part at the bottom
    - any ideas what could have gone wrong here?
    Code:
    CONNECTED(00000003)
    ---
    Certificate chain
    0 s:/C=DE/CN=alfred.ict-consult.co.za/[email protected]
       i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Inte
    rmediate Server CA
    1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
       i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
    2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
       i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
    ---
    ...
        Start Time: 1449558585
        Timeout   : 300 (sec)
        Verify return code: 19 (self signed certificate in certificate chain)
    ---
     
  2. Ovidiu

    Ovidiu Active Member

    One more test:

    Code:
     posttls-finger alfred.ict-consult.co.za
    posttls-finger: Connected to alfred.ict-consult.co.za[51.254.252.80]:25
    posttls-finger: < 220 alfred.ict-consult.co.za ESMTP Postfix (Debian/GNU)
    posttls-finger: > EHLO alfred.ict-consult.co.za
    posttls-finger: < 250-alfred.ict-consult.co.za
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE
    posttls-finger: < 250-VRFY
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-AUTH PLAIN LOGIN
    posttls-finger: < 250-AUTH=PLAIN LOGIN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250 DSN
    posttls-finger: > STARTTLS
    posttls-finger: < 220 2.0.0 Ready to start TLS
    posttls-finger: alfred.ict-consult.co.za[51.254.252.80]:25: Matched subjectAltName: alfred.ict-consult.co.za
    posttls-finger: alfred.ict-consult.co.za[51.254.252.80]:25: subjectAltName: ict-consult.co.za
    posttls-finger: alfred.ict-consult.co.za[51.254.252.80]:25 CommonName alfred.ict-consult.co.za
    posttls-finger: certificate verification failed for alfred.ict-consult.co.za[51.254.252.80]:25: untrusted issuer /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
    posttls-finger: alfred.ict-consult.co.za[51.254.252.80]:25: subject_CN=alfred.ict-consult.co.za, issuer_CN=StartCom Class 1 Primary Intermediate Server CA, fingerprint=13:5C:BB:28:AB:7E:DB:1B:81:3F:48:99:FE:72:B8:05:E6:EB:75:A0, pkey_fingerprint=91:39:48:44:F5:D2:9C:9D:60:3E:77:F0:9C:99:E7:64:2D:FD:54:0D
    posttls-finger: Untrusted TLS connection established to alfred.ict-consult.co.za[51.254.252.80]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    posttls-finger: > EHLO alfred.ict-consult.co.za
    posttls-finger: < 250-alfred.ict-consult.co.za
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-SIZE
    posttls-finger: < 250-VRFY
    posttls-finger: < 250-ETRN
    posttls-finger: < 250-AUTH PLAIN LOGIN
    posttls-finger: < 250-AUTH=PLAIN LOGIN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250 DSN
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 Bye
     
  3. sjau

    sjau Local Meanie Moderator

    Btw, you could have a look at Let's Encrypt. The Open Beta started last week and works fine this far. In the future it will be very simple to obtain and renew certs with it. Integration into ISPC is already planned:

    https://www.howtoforge.com/communit...encrypt-ssl-certificates-into-ispconfig.71055

    There's a mod by Alexandre Alouit which makes already integration: https://www.howtoforge.com/communit...cates-into-ispconfig.71055/page-4#post-337035

    I have currently my own solution (not modifying ISPC DB stuff directly) which uses the ISPC remote API to finally add the certs:
    https://www.howtoforge.com/community/threads/lets-encrypt-2-ispconfig.71348

    However, as to your question: It seems you miss the chain certs in your setup.
     
    Ovidiu likes this.
  4. Ovidiu

    Ovidiu Active Member

    Thanks, I will look at this and see if I can figure it out. The weird part is that nginx accepts the certificate just fine and Chrome doesn't complain about it, just the mail part of it seems off.

    Will keep an eye on lets encrypt but not keen on anything beta at the moment :)

    I've been googling my own problem and found some hints that the resolving name server might not have dnssec enable, looking into that too.
     
  5. sjau

    sjau Local Meanie Moderator

  6. Ovidiu

    Ovidiu Active Member

    Thx but I can't use that as I only use HTTPS on non-default ports :-(
    Anyway, will work through that tutorial once more and hope to figure out the problem somewhere along my way ;-9
     

Share This Page