Self signed certificate in certificate chain

ssl postfix ssl-certificate dovecot
51,509

At some level, a self-signed certificate will always appear in a certificate chain - most notably the case with CA certs, which are by definition self-signed, but are trusted. You are seeing that message because the StartSSL CA cert is self-signed.

Your chain file is also wrong - you don't need the client certificates. The file should be in the following order, from the top of the file to the bottom, links are to StartSSL's equivalent cert, assuming class 2 validation (documentation is here):

  1. Private key (optional)
  2. Your Public certificate
  3. Class 2 Intermediate Certificate
  4. Root CA certificate

Your error could be down to using the wrong port, as discussed here. For reference, port 995 is used for POP SSL connections, port 993 is used for IMAP SSL (reference).

Share:
51,509

Related videos on Youtube

MultiformeIngegno
Author by

MultiformeIngegno

Updated on September 18, 2022

Comments

  • MultiformeIngegno
    MultiformeIngegno over 1 year

    I'm having building the correct certificate chain. My certificate issue a class 2 issued by StartSSL.

    Here's in order what I have put in my ssl.crt:

    my cert
https://www.startssl.com/certs/ca.pem
https://www.startssl.com/certs/class2/sha1/pem/sub.class2.client.sha1.ca.pem
https://www.startssl.com/certs/class2/sha1/pem/sub.class2.server.sha1.ca.pem

    (I put the links to allow you to see where I took the files)

    If I do a openssl s_client -connect multiformeingegno.it:993 I get:

    Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready

    And if I try to add my account to Gmail here's what I get:

    "Missing +OK response upon connecting to the server: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready."

    Why does it say a self-signed cert?

  • MultiformeIngegno
    MultiformeIngegno almost 9 years
    Sh*t.. that means if I want to link my account with Gmail I need to use another CA?
  • ObiwanKeTobi
    ObiwanKeTobi almost 9 years
    No. You need to fix your certificate chain file.
  • Steffen Ullrich
    Steffen Ullrich almost 9 years
    The root certificate should be in the client itself and starting from this trust anchor it will built the trust chain using the intermediate certificates until it reaches the leaf certificate. Thus the root certificate itself does not need to be including in the chain send by the server. While mostly ignored by the client there might be cases where including the root certificate might even cause problems, so it is better to leave it out.
  • ObiwanKeTobi
    ObiwanKeTobi almost 9 years
    @SteffenUllrich thanks - never knew of issues with including the root CA. Have edited my answer to include references to port issues which have the same resulting error.
  • MultiformeIngegno
    MultiformeIngegno almost 9 years
    Actually yes I'm trying to connect to POP3 using the IMAP port.. ahah -.-

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

sslv3 alert bad certificate when attempting to connect with Mail Client
Why are many mail servers using subdomains like mail.example.com?
Postfix SMTP SSL config: Can't send email but can receive it with SSL
Dovecot handshake failure, on Postfix success
Postfix 'tlsv1 alert unknown ca'
SSL Error: self signed certificate in certificate chain
POSTFIX cant connect from SMTP with TLS
Generating SSL key for Dovecot and Postfix
Set up certs for multiple domains in Postfix and Dovecot
Postfix, multi domains and multi certs on one IP