LetsEncrypt / Exim4 / GnuTLS / cert chaining: "The provided X.509 certificate list is not sorted" error

Question

From what I can determine, you generate a LetsEncrypt certificate that includes the full cert chain thus:

# run lets-enc the usual way
# then ..:
wget -O intermediate.pem https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem 
cat DOMAIN.crt intermediate.pem >DOMAIN.pem
# now use DOMAIN.pem instead of DOMAIN.crt

Unfortunately, when I do that, Exim4 resp. GnuTLS complains that

(cert/key setup: cert=/etc/letsencrypt/keys/DOMAIN.pem
 key=/etc/letsencrypt/keys/DOMAIN.key):
The provided X.509 certificate list is not sorted (in subject to issuer order)

and refuses to enable SSL.

Since using the "naked" .CRT file results in annoying certificate warnings on some clients (it works, otherwise), I'd like to fix that.

score 1 · Accepted Answer · answered May 10 '16 at 16:00

1

You got the wrong certificate. Check the graph at the Let's encrypt site and you will see that a leaf certificate is not signed by the X1 certificate you've downloaded but by X3. If you would look at the certificate details (with openssl x509 -text or similar) you would also see the issuer of your certificate and you could check that it matches the subject of the issuers certificate.

answered May 10 '16 at 16:00

Steffen Ullrich

184,332
29
363
424

Thanks, that was it. I'll have to re-find the page I copied this from and tell them to get a clue. – Matthias Urlichs May 12 '16 at 14:16

LetsEncrypt / Exim4 / GnuTLS / cert chaining: "The provided X.509 certificate list is not sorted" error

1 Answers1