Ssl – Postfix SSL certificates with Comodo (PostivieSSL) – “Unknown Authority”

dovecotpostfixsslssl-certificate

I have an issue with my mail server running a postfix/dovecot setup, essentially when I run the various security tests I get told that my certificates can't be validated, see here: https://ssl-tools.net/mailservers/brailsford.xyz

The certificates and related files I have available (which are valid as per https://brailsford.xyz) are:

  • AddTrustExternalCARoot.crt
  • brailsford_xyz.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt

I also have my key file for the crt, brailsford_xyz.key

My setup in postfix is:

smtpd_tls_cert_file=/etc/ssl/certs/postfixchain.crt
smtpd_tls_key_file=/etc/ssl/private/brailsford.key
smtpd_tls_CAfile=/etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt
smtpd_use_tls=yes

The postfix chain is a combination of three of the certs from earlier, in the following order:

  1. brailsford_xyz.crt
  2. COMODORSADomainValidationSecureServerCA.crt
  3. AddTrustExternalCARoot.crt

Can anyone advise as to what I'm doing wrong and how I can rectify it?

Best Answer

It seems your SSL certificate chain is not complete (or rather missing a link). Look at what openssl s_client returns when I connect to your mail server:

$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -starttls smtp -connect brailsford.xyz:587
CONNECTED(00000003)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=brailsford.xyz
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---

As you can see there is a certificate with issuer (i) of "/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority" but the chain does not contain a certificate issued to that subject by a trusted CA (or a further intermediate CA).

As far as I can tell you are missing at least this certificate (as the third link in your chain): https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/intermediate-1-sha-2-comodo-rsa-certification-authority

That is serial number 27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22 and Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority

Related Topic