5

I have certificates issued from StartSSL, which is a trusted authority for certificates, and my websites work with its certificates with no problems and no complaints from all browsers about any trust issues.

Now I wanted to have the same programmed in Dovecot to have my e-mails received with certified SSL. So I use IMAP to get my mail, say through the address mail.myweb.com. I went to StartSSL, and issued a certificate for that subdomain (which is what I always do to obtain for any subdomain I wanna have with SSL through the Apache server).

Now I took that certificate, and defined that to be the certificate I wanna use for that domain name (using SNI) on Dovecot by adding the following to dovecot.conf 

local_name mail.myweb.com {
  ssl_cert = </path/to/certificate/ssl.crt
  ssl_key = </path/to/privatekey/priv.key
}

While this process works perfectly fine on an Apache server, and I get my browsers happy with a green padlock with no signature problems on my certificates, thunderbird insisted that I confirm this certificate as an exception.

I confirmed that the certificate thunderbird is receiving is the correct one by looking into the details of the certificate.

What could the reason be? Is thunderbird just paranoid and I must buy a certificate?

If you require any additional information, please let me know.

Thank you.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
The Quantum Physicist
  • 656
  • 2
  • 11
  • 25

2 Answers2

6

You're probably missing the intermediate certificate.

AFAIK Dovecot does not have a chain certificate option as you have in for instance Apache, you need to concatenate the intermediate certificate into a single file with your public certificate:

  1. The signed certificate for your domain
  2. Intermediate CA cert
  3. Root CA cert

Get correct intermediate certificate from http://www.startssl.com/certs/ (possibly sub.class1.server.ca.pem) and then for instance:

cp /path/to/certificate/ssl.crt dovecot.crt
cat sub.class1.server.ca.pem >> dovecot.crt
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • 1
    Yes, that is exactly what [Dovecot requires](http://wiki2.dovecot.org/SSL/DovecotConfiguration), all certificates in the chain, including the one for your domain, in 1 single file. So you can't point Dovecot to the same certificate file apache uses. That assumes that the lack of an intermediate certificate is indeed the actual cause of your problem. – HBruijn Nov 27 '14 at 17:54
  • Thank you very much. This works! I did it for one website's certificate and it works for the others... which I find weird but probably understandable. – The Quantum Physicist Nov 27 '14 at 17:59
  • I highly doubt this is the cause/solution. I'm facing the same problem now. By default, Dovecot uses the certificate at /etc/exim.cert, which also doesn't (need to) have it's intermediate certificates present to function. As I understand it, intermediate certificates on your server help resolve the chain more efficiently, but are not a requirement. I could be totally wrong though, I'm pretending to be a server administrator for just a week now... – zmippie Apr 25 '15 at 13:40
  • @zmippie many certification authorities sign their (cheaper) certificates not with the actual CA certificate that's included in the common CA bundle most clients use; they use an intermediate CA certificate signed by the trusted CA for that. If a server does not present that intermediate CA you do end up with a broken trust chain – HBruijn Apr 25 '15 at 18:51
0

In addition to the answer by HBruijn I wanted to share with you that installing a such created certificate in Webmin/Virtualmin does not work (error: "Line 46 does not look like PEM format"). I worked around this limitation by installing the domain certificate first and then concatenating it with the intermediate cert after installation.

simne7
  • 1
  • 1