You will want the domain certificate first, then the certificate authority bundle in a pem file.
> On May 8, 2025, at 6:08 PM, Dan Mahoney via Postfix-users > <postfix-users@postfix.org> wrote: > > There’s only one certificate in your chain, you need to send the intermediate > cert as well. > > The cert you’re signing with isn’t trusted by browsers. > > Certificate chain > 0 s:CN = rollcage13.aboc.net.au > i:C = US, O = Let's Encrypt, CN = R10 > > Arguably, this is even worse than being self-signed. > > Compared with my sendmail (stop laughing) server: > > Certificate chain > 0 s:CN = prime.gushi.org > i:C = US, O = Let's Encrypt, CN = E5 > 1 s:C = US, O = Let's Encrypt, CN = E5 > i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 > > I believe if you just point postfix at your cert chain, it will do the right > thing as long as the certs are in the correct order. > > -Dan > >> On May 8, 2025, at 15:34, Carl Brewer via Postfix-users >> <postfix-users@postfix.org> wrote: >> >> >> Hi, >> >> I've been running postscript on a FreeBSD 13.x server with Letsencrypt >> running as a cron job to keep SSL certs up to date automagically : >> >> >> in main.cf : >> >> >> smtpd_tls_security_level = may >> smtpd_tls_cert_file = >> /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/cert.pem >> smtpd_tls_key_file = >> /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/privkey.pem >> >> As best I can tell, this has worked for a number of years without issue. >> >> I've noticed this error of late : >> >> May 9 08:15:44 rollcage13 postfix/smtpd[88039]: warning: TLS library >> problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad >> certificate:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1621:SSL alert >> number 42: >> >> And some mail isn't making it through - I guess it's possible that the above >> config never worked and I didn't notice, but I suspect this is a new thing. >> >> >> When I check the SSL config using the ssl-tools.net checks, I'm seeing >> "Unknown Authority" as the error, but also seeing a cert that looks ok : >> >> From : https://ssl-tools.net/mailservers/rollcage13.aboc.net.au >> >> Certificates >> First seen at: a day ago >> CN=rollcage13.aboc.net.au >> Certificate chain >> >> rollcage13.aboc.net.au >> 40 days remaining >> 2048 bit >> sha256WithRSAEncryption >> Unknown Authority >> R10 >> >> Subject >> Common Name (CN) >> >> rollcage13.aboc.net.au >> >> Alternative Names >> >> rollcage13.aboc.net.au >> >> >> Apart from the "Unknown Authority" it looks fine. >> >> Permissions in the cert directory are all ok, or at least, all the same, so >> if it can read one bit it can read them all : >> >> rollcage13:/usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au # ls -la >> total 16 >> drwxr-xr-x 2 root wheel 7 Mar 18 05:08 . >> drwxr-s--- 3 root readcirts 4 Sep 19 2021 .. >> -rw-r--r-- 1 root wheel 692 Sep 19 2021 README >> lrwxr-xr-x 1 root wheel 47 Mar 18 05:08 cert.pem -> >> ../../archive/rollcage13.aboc.net.au/cert23.pem >> lrwxr-xr-x 1 root wheel 48 Mar 18 05:08 chain.pem -> >> ../../archive/rollcage13.aboc.net.au/chain23.pem >> lrwxr-xr-x 1 root wheel 52 Mar 18 05:08 fullchain.pem -> >> ../../archive/rollcage13.aboc.net.au/fullchain23.pem >> lrwxr-xr-x 1 root wheel 50 Mar 18 05:08 privkey.pem -> >> ../../archive/rollcage13.aboc.net.au/privkey23.pem >> >> >> >> any suggestions, I'm no wizz when it comes to SSL setups, and am pretty >> rusty here. >> >> >> >> >> _______________________________________________ >> Postfix-users mailing list -- postfix-users@postfix.org >> To unsubscribe send an email to postfix-users-le...@postfix.org > > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
