Yesterday I had my SSL certificate re-issued. I now have two
certificates for the same domain. One has an RSA signature and the new
one I received yesterday uses ECDSA. I enabled the ECDSA certificate in
Dovecot and Apache and those services are working great.
In Postfix I have enabled two certificates (RSA and ECDSA). To enable
the ECDSA cert I added the following to my main.cf:
<https://forums.freebsd.org/viewtopic.php?f=43&t=46394#>
|smtpd_tls_eccert_file =
/usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
smtpd_tls_eckey_file =
/usr/local/openssl/certs/mail.domain.com.ecdsa.key
|
When I received the ECDSA cert from Comodo I had the following files:
* AddTrustExternalCARoot.crt
* COMODOECCAddTrustCA.crt
* COMODOECCDomainValidationSecureServerCA.crt
* mail.domain.com.crt
To create the chained file for use in Postfix I ran:
|cat mail.domain.com.crt COMODOECCDomainValidationSecureServerCA.crt
COMODOECCAddTrustCA.crt > mail.domain.com.chained.postfix.ecdsa.crt|
The problem is, when I restart postfix and test with:
|openssl s_client -connect mail.domain.com:25 -crlf -starttls smtp
-CAfile /usr/local/openssl/certs/AddTrustExternalCARoot.crt|
it says:
<https://forums.freebsd.org/viewtopic.php?f=43&t=46394#>
|CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
mail.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
mail.domain.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
mail.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO ECC Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root
....
Verify return code: 21 (unable to verify the first certificate)
|
If I comment out:
<https://forums.freebsd.org/viewtopic.php?f=43&t=46394#>
|#smtpd_tls_eccert_file =
/usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
#smtpd_tls_eckey_file =
/usr/local/openssl/certs/mail.domain.com.ecdsa.key
|
and restart Postfix agan and run another OpenSSL test it is all fine
with the RSA cert:
<https://forums.freebsd.org/viewtopic.php?f=43&t=46394#>
|Verify return code: 0 (ok)
|
So the question is, how do I get this new ECDSA certificate to work in
Postfix and why doesn't it like the chain file I have created? It looks
like its using the RSA certificate in the chain for the ECDSA
certificate which is confusing! In case anyone's wondering, Postfix does
support running more than one certificate at once. See here:
http://postfix.cs.utah.edu/TLS_README.html.
RSA, DSA and ECDSA (Postfix ? 2.6) certificates are supported. You
can configure all three at the same time, in which case the cipher
used determines which certificate is presented.
I am running the latest version of Postfix and OpenSSL on FreeBSD 10-STABLE
Any ideas? My Dovecot and Apache ECDSA certifcate and chain verify just
fine as does my chain file used in Postfix with my RSA certificate. Its
just the ECDSA one in Postfix I am battling with.
I would appreciate any help!
