Search code examples
sslmail-server

Private mail server giving certificate error even though valid certificate present

I have created a private mail server using iRedMail & Nginx. I have installed SSL certificates and keys into Nginx and iRedMail itself at the below locations. The server runs great and everything works via web mail. The browser agrees that the SSL certificate is valid and HTTPS works.

The issue is when I add the mail account to my email client, I get an invalid certificate error, and the same issue when using CalDav. It still works, but this makes me think that I'm missing some certificate install somewhere. Any suggestions? Thank you!

/etc/ssl/certs/iRedMail.crt
/etc/ssl/private/iRedMail.key

Here is the output of openssl s_client -showcerts -connect mail.bragsdale.dev:993

CONNECTED(00000003)
depth=0 CN = bragsdale.dev
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = bragsdale.dev
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=bragsdale.dev
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
...CERTIFICATE HERE...
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=bragsdale.dev
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2064 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 3DD2E8B607CF5B4ACECDB995078FDAE80C210097372B80CD1409E90A0A523E0A
    Session-ID-ctx: 
    Master-Key: F1953ABEAC1024279DA6D0E17D26E3305E7C2A9589976FDFD2DBF22E4B6280415BC271E5228045B7D0C5E8A0B3921B11
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    ....DATA HERE...

    Start Time: 1551664367
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready
Solution

  • Fixed it. The problem was I wasn't using my intermediary certificate. See this answer for details.

    A note, when I cat'ed the certificates together it was malformed, with the END CERTIFICATE/BEGIN CERTIFICATE being on one line. Easily fixed with a text editor.