SSL Error – No Path Found from Leaf Certificate to Any Root

I've setup a personal mail server using postfix, postfix-saslauth, courier (mysqlauthd, imap, pop) plus some well practices like SPF, DKIM and DMARC.

This set up has been working fine for the last 10 years and today, for first time, I've tried to add access one of those accounts through GMail which requires a working POP3 service. I could sucessfully add the account through POP3 service (no security and/or encription) on port 110.

The problem arises when I try to configure GMail to access the account through POP3 service on 995 port,using security. When doing so I get the following error from GMAIL:

SSL error: No path found from the leaf certificate to any root. Maybe an intermediate certificate is missing

I've downloaded Mozilla Thunderbird and I could download email through POP3 service on port 995 without issues, so my question is: Does anyone know how to fix this issue with GMail?

The following is my courier-pop3d-ssl config:

SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/run/courier/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=YES
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
TLS_CIPHER_LIST="TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
TLS_STARTTLS_PROTOCOL="$TLS_PROTOCOL"
TLS_CERTFILE=/etc/courier/certificates/certificate.pem
TLS_PRIVATE_KEYFILE=/etc/courier/certificates/tls_private_keyfile.pem
TLS_DHPARAMS=/etc/courier/certificates/dhparams.pem
TLS_TRUSTCERTS=/etc/ssl/certs/ca-certificates.crt
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/lib/courier/couriersslimapcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

Here's some SSL certificates info:

## Letsencrypt CRT + Key cert files
cat /etc/letsencrypt/live/mydomain.com/cert.pem /etc/letsencrypt/live/mydomain.com/privkey.pem >> /etc/courier/certificates/letsencrypt-mydomain_com_crt_key.pem

ls -la /etc/courier/certificates/certificate.pem
lrwxrwxrwx 1 root courier 60 Oct  2 20:24 /etc/courier/certificates/certificate.pem -> /etc/courier/certificates/letsencrypt-mydomain_com_key.pem

ls -la /etc/courier/certificates/tls_private_keyfile.pem
lrwxrwxrwx 1 root courier 47 Oct  1 17:45 /etc/courier/certificates/tls_private_keyfile.pem -> /etc/letsencrypt/live/mydomain.com/privkey.pem

My SSL certificates are generated through Letsencrypt:

ls -la /etc/letsencrypt/live/mydomain.com/
total 12
drwxr-xr-x 2 root root 4096 Oct  2 14:35 .
drwx------ 8 root root 4096 Oct  2 14:35 ..
lrwxrwxrwx 1 root root   37 Oct  2 14:35 cert.pem -> ../../archive/mydomain.com/cert1.pem
lrwxrwxrwx 1 root root   38 Oct  2 14:35 chain.pem -> ../../archive/mydomain.com/chain1.pem
lrwxrwxrwx 1 root root   42 Oct  2 14:35 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root   40 Oct  2 14:35 privkey.pem -> ../../archive/mydomain.com/privkey1.pem
-rw-r--r-- 1 root root  692 Oct  2 14:35 README

This is the error I see at /var/log/mail.log when GMail tries to connect through POP3 service on port 995:

Oct  2 21:12:15 we pop3d-ssl: Connection, ip=[::ffff:74.120.14.35]
Oct  2 21:12:16 we pop3d-ssl: ip=[::ffff:74.120.14.35], Unexpected SSL connection shutdown.
Oct  2 21:12:16 we pop3d-ssl: Disconnected, ip=[::ffff:74.120.14.35]

Should I concatenate intermediates and the leaf (server) certificate somewhere? How? In which order?

Thanks in advanced

Solution:

According to courier-mta.org, TLS_CERTFILE is generated including cert and private key both. filename must not be world-readable, and must be accessible without a pass-phrase, i.e. it must not be encrypted.

So to fix the issue i had to concatenate Letsencrypt CRT + CHAIN + KEY in this strict order:

cat /etc/letsencrypt/live/mydomain.com/cert.pem /etc/letsencrypt/live/mydomain.com/chain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem >> /etc/courier/certificates/certificate.pem.mydomain.com