Talking about this howto: https://www.howtoforge.com/securing...-free-class1-ssl-certificate-from-startssl-p2 All seems fine but there seems to be an issue when connecting with an email client it looks like this (pay attention to this part at the bottom - any ideas what could have gone wrong here? Code: CONNECTED(00000003) --- Certificate chain 0 s:/C=DE/CN=alfred.ict-consult.co.za/[email protected] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Inte rmediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- ... Start Time: 1449558585 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) ---
One more test: Code: posttls-finger alfred.ict-consult.co.za posttls-finger: Connected to alfred.ict-consult.co.za[51.254.252.80]:25 posttls-finger: < 220 alfred.ict-consult.co.za ESMTP Postfix (Debian/GNU) posttls-finger: > EHLO alfred.ict-consult.co.za posttls-finger: < 250-alfred.ict-consult.co.za posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE posttls-finger: < 250-VRFY posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-AUTH PLAIN LOGIN posttls-finger: < 250-AUTH=PLAIN LOGIN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: alfred.ict-consult.co.za[51.254.252.80]:25: Matched subjectAltName: alfred.ict-consult.co.za posttls-finger: alfred.ict-consult.co.za[51.254.252.80]:25: subjectAltName: ict-consult.co.za posttls-finger: alfred.ict-consult.co.za[51.254.252.80]:25 CommonName alfred.ict-consult.co.za posttls-finger: certificate verification failed for alfred.ict-consult.co.za[51.254.252.80]:25: untrusted issuer /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority posttls-finger: alfred.ict-consult.co.za[51.254.252.80]:25: subject_CN=alfred.ict-consult.co.za, issuer_CN=StartCom Class 1 Primary Intermediate Server CA, fingerprint=13:5C:BB:28:AB:7E:DB:1B:81:3F:48:99:FE:72:B8:05:E6:EB:75:A0, pkey_fingerprint=91:39:48:44:F5:D2:9C:9D:60:3E:77:F0:9C:99:E7:64:2D:FD:54:0D posttls-finger: Untrusted TLS connection established to alfred.ict-consult.co.za[51.254.252.80]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) posttls-finger: > EHLO alfred.ict-consult.co.za posttls-finger: < 250-alfred.ict-consult.co.za posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE posttls-finger: < 250-VRFY posttls-finger: < 250-ETRN posttls-finger: < 250-AUTH PLAIN LOGIN posttls-finger: < 250-AUTH=PLAIN LOGIN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye
Btw, you could have a look at Let's Encrypt. The Open Beta started last week and works fine this far. In the future it will be very simple to obtain and renew certs with it. Integration into ISPC is already planned: https://www.howtoforge.com/communit...encrypt-ssl-certificates-into-ispconfig.71055 There's a mod by Alexandre Alouit which makes already integration: https://www.howtoforge.com/communit...cates-into-ispconfig.71055/page-4#post-337035 I have currently my own solution (not modifying ISPC DB stuff directly) which uses the ISPC remote API to finally add the certs: https://www.howtoforge.com/community/threads/lets-encrypt-2-ispconfig.71348 However, as to your question: It seems you miss the chain certs in your setup.
Thanks, I will look at this and see if I can figure it out. The weird part is that nginx accepts the certificate just fine and Chrome doesn't complain about it, just the mail part of it seems off. Will keep an eye on lets encrypt but not keen on anything beta at the moment I've been googling my own problem and found some hints that the resolving name server might not have dnssec enable, looking into that too.
Well, firefox and chrome do handle intermediate certs differently. IMHO try: https://www.ssllabs.com/ssltest/analyze.html?d=DOMAIN.TLD&latest Of course replace with your own domain name. That should get you the necessary information.
Thx but I can't use that as I only use HTTPS on non-default ports :-( Anyway, will work through that tutorial once more and hope to figure out the problem somewhere along my way ;-9