Loading ...
Sorry, an error occurred while loading the content.

297674Re: 19:self signed certificate in certificate chain with Comodo PositiveSSL certificate in Postfix 2.7.0

Expand Messages
  • Viktor Dukhovni
    Jan 22, 2014
      On Wed, Jan 22, 2014 at 03:07:33PM -0500, Ben Johnson wrote:

      > I created the certificate with the following command:
      >
      > $ cat example_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt >
      > /root/ssl/example.com.pem

      To verify that the file is well-formed try the below:

      openssl crl2pkcs7 -nocrl -certfile /root/ssl/example.com.pem |
      openssl pkcs7 -print_certs -text |
      less

      You should see the verbose decoding of the certificates in the
      correct order.

      > # TLS parameters
      > smtpd_tls_cert_file = /root/ssl/example.com.pem
      > smtpd_tls_key_file = /root/ssl/example.com.key
      > smtpd_use_tls = yes
      >
      > But when I attempt to verify the certificate chain, I always receive
      > "19:self signed certificate in certificate chain".

      There nothing wrong with that, the client did not have a suitable
      CAfile or CApath configured. Very few SMTP clients do.

      > $ openssl s_client -connect example.com:25 -starttls smtp

      No -CAfile or -CApath options in this command-line.

      > 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=example.com
      > i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
      > 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
      > i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
      > 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
      > i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

      This chain is good.

      > What might the problem be? Isn't the last certificate in the chain
      > *supposed to be* self-signed?

      There is no problem.

      --
      Viktor.
    • Show all 7 messages in this topic