2009/1/23 Ask Bjørn Hansen <a...@develooper.com>: > > On Jan 23, 2009, at 4:41, John Peacock wrote: > >> From a quick google, I think the solution is that you have to include the >> certificate chain in the same file as the server cert itself, in reverse >> order >> (so the CA is first, followed by any intermediate CA's, and the server >> cert is >> last). > > > Yeah - that's how it works in Perlbal (which is using similar-ish code).
I've tried that and various other combinations, but nothing seems to work. See below. It's crazy that setting up with chained certs is so troublesome, as there seems to be a trend towards only using chained certs. Certs I have: server.key (server private key) server.crt (signed server cert) DigiCertCA.crt (intermediate cert) TrustedRoot.crt (root cert) Option 1 (John's suggestion): cat TrustedRoot.crt DigiCertCA.crt server.crt > cert-bundle.pem Then tls line in config/plugins: tls /path/to/cert-bundle.pem /path/to/server.key /path/to/TrustedRoot.crt The error reported on qpsmtpd-prefork startup is: Could not create SSL context: at ./plugins/tls line 81. Option 2 (no cert chain, DigiCert.crt intermediate cert as CA): tls /path/to/server.crt /path/to/server.key /path/to/DigiCertCA.crt qpsmtpd-prefork starts without issue mail clients moan about the cert being untrustworthy. Option 3 (no cert chain, TrustedRoot.crt as CA): tls /path/to/server.crt /path/to/server.key /path/to/TrustedRoot.crt qpsmtpd-prefork starts without issue mail clients moan about the cert being untrustworthy. Option 4 (no cert chain in server.crt, but both TrustedRoot.crt and DigiCertCA.crt as CA): tls /path/to/server.crt /path/to/server.key /path/to/CombinedCA.crt qpsmtpd-prefork starts without issue mail clients moan about the cert being untrustworthy. Option 5 (reversed cert chain in server.key position and TrustedRoot.crt) cat server.crt DigiCertCA.crt TrustedRoot.crt > cert-bundle-reversed.pem tls /path/to/cert-bundle.pem /path/to/server.key /path/to/TrustedRoot.crt qpsmtpd-prefork starts without issue, mail clients moan about a self-signed cert in cert chain
