Loading ...
Sorry, an error occurred while loading the content.

29767119:self signed certificate in certificate chain with Comodo PositiveSSL certificate in Postfix 2.7.0

Expand Messages
  • Ben Johnson
    Jan 22, 2014
    • 0 Attachment
      Hello,

      I'm having some trouble getting a Comodo PositiveSSL certificate to work
      correctly with Postfix 2.7.0.

      I've attempted to follow the instructions at
      http://www.postfix.org/postconf.5.html#smtpd_tls_cert_file :

      "You should include the required certificates in the server certificate
      file, the server certificate first, then the issuing CA(s) (bottom-up
      order)."

      The CA and root information that Comodo provides for PositiveSSL
      certificates is as follows (
      https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1182
      ):

      PositiveSSL
      » Root: AddTrustExternalCARoot.crt
      » Intermediate: PositiveSSLCA2.crt
      » End-Entity/Domain Certificate

      I created the certificate with the following command:

      $ cat example_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt >
      /root/ssl/example.com.pem

      Then I added the following to main.cf:

      # TLS parameters
      smtpd_tls_cert_file = /root/ssl/example.com.pem
      smtpd_tls_key_file = /root/ssl/example.com.key
      smtpd_use_tls = yes

      But when I attempt to verify the certificate chain, I always receive
      "19:self signed certificate in certificate chain".

      $ openssl s_client -connect example.com:25 -starttls smtp
      CONNECTED(00000003)
      depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
      = AddTrust External CA Root
      verify error:num=19:self signed certificate in certificate chain
      verify return:0
      ---
      Certificate chain
      0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=example.com
      i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
      Limited/CN=PositiveSSL CA 2
      1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
      Limited/CN=PositiveSSL CA 2
      i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
      External CA Root
      2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
      External CA Root
      i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
      External CA Root
      ---
      ...


      What might the problem be? Isn't the last certificate in the chain
      *supposed to be* self-signed?

      I thought that perhaps the client machine from which I am attempting to
      verify the certificate may lack the AddTrust certificate (#2 in the
      chain), but when I tried installing it, the certificate was recognized
      as a duplicate (i.e., it is already installed):

      # cp AddTrustExternalCARoot.crt
      /usr/local/share/ca-certificates/AddTrustExternalCARoot.crt

      # update-ca-certificates
      Updating certificates in /etc/ssl/certs... WARNING: Skipping duplicate
      certificate AddTrustExternalCARoot.crt
      WARNING: Skipping duplicate certificate AddTrustExternalCARoot.crt
      1 added, 0 removed; done.
      Running hooks in /etc/ca-certificates/update.d....done.

      I'm not sure what to try next. I must be missing something simple...

      For privacy reasons, I have omitted it here, but I'll provide the
      sanitized output of "postconf -n" if it would be helpful; just ask.

      Thanks for any help with this!

      -Ben
    • Show all 7 messages in this topic