Yesterday I had my SSL certificate re-issued. I now have two certificates for the same domain. One has an RSA signature and the new one I received yesterday uses ECDSA. I enabled the ECDSA certificate in Dovecot and Apache and those services are working great.
In Postfix I have enabled two certificates (RSA and ECDSA). To enable the ECDSA cert I added the following to my main.cf:
When I received the ECDSA cert from Comodo I had the following files:
To create the chained file for use in Postfix I ran:
The problem is, when I restart postfix and test with:
it says:
If I comment out:
and restart Postfix agan and run another OpenSSL test it is all fine:
So the question is, how do I get this new ECDSA certificate to work in Postfix and why doesn't it like the chain file I have created? It looks like its using the RSA certificate in the chain for the ECDSA certificate which is confusing! In case anyone's wondering, Postfix does support running more than one certificate at once. See here: http://postfix.cs.utah.edu/TLS_README.html.
I am running the latest version of Postfix and OpenSSL (from ports).
Any ideas? My Dovecot and Apache ECDSA certify and chain verify just fine as does my chain file used in Postfix with my RSA certificate. Its just the ECDSA one in Postfix I am battling with.
I would appreciate any help!
In Postfix I have enabled two certificates (RSA and ECDSA). To enable the ECDSA cert I added the following to my main.cf:
Code:
smtpd_tls_eccert_file = /usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
smtpd_tls_eckey_file = /usr/local/openssl/certs/mail.domain.com.ecdsa.keyWhen I received the ECDSA cert from Comodo I had the following files:
- AddTrustExternalCARoot.crt
- COMODOECCAddTrustCA.crt
- COMODOECCDomainValidationSecureServerCA.crt
- mail.domain.com.crt
To create the chained file for use in Postfix I ran:
cat mail.domain.com.crt COMODOECCDomainValidationSecureServerCA.crt COMODOECCAddTrustCA.crt > mail.domain.com.chained.postfix.ecdsa.crtThe problem is, when I restart postfix and test with:
openssl s_client -connect mail.domain.com:25 -crlf -starttls smtp -CAfile /usr/local/openssl/certs/AddTrustExternalCARoot.crtit says:
Code:
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
....
Verify return code: 21 (unable to verify the first certificate)If I comment out:
Code:
#smtpd_tls_eccert_file = /usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
#smtpd_tls_eckey_file = /usr/local/openssl/certs/mail.domain.com.ecdsa.key
Code:
Verify return code: 0 (ok)So the question is, how do I get this new ECDSA certificate to work in Postfix and why doesn't it like the chain file I have created? It looks like its using the RSA certificate in the chain for the ECDSA certificate which is confusing! In case anyone's wondering, Postfix does support running more than one certificate at once. See here: http://postfix.cs.utah.edu/TLS_README.html.
I am running the latest version of Postfix and OpenSSL (from ports).
Any ideas? My Dovecot and Apache ECDSA certify and chain verify just fine as does my chain file used in Postfix with my RSA certificate. Its just the ECDSA one in Postfix I am battling with.
I would appreciate any help!