SSL cert. from RapidSSLOnline.

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
fmail
Normal user
Normal user
Posts: 159
Joined: 2009-01-02 18:21
Location: Denmark, Aarhus

SSL cert. from RapidSSLOnline.

Post by fmail » 2019-03-21 09:10

Normally i use self signed cert without problem, but want to go a step up. I have used https://letsencrypt.org/ but 90 bays is not what i need.
Ordered a SSL cert from:
https://www.rapidsslonline.com/ssl-bran ... cates.aspx

After a long order process with a lot of typing at there site and my own linux box to generate the private key with openssl...
I load the two file to HM, look ok on client and on HM.

Finally i want to do a SSL test at:
https://www.checktls.com/

Now i ask what is this:
-STARTTLS command works on this server
-Connection converted to SSL
-SSLVersion in use: TLSv1_2
-Cipher in use: ECDHE-RSA-AES128-GCM-SHA256
-Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate
-This may help: What Is An Intermediate Certificate
-So email is encrypted but the recipient domain is not verified
Any help on this?

User avatar
mattg
Moderator
Moderator
Posts: 20012
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL cert. from RapidSSLOnline.

Post by mattg » 2019-03-21 10:19

In Hmailserver you will need to chain the certs

At the top is the CA cert at the bottom is the server cert
I'd guess that the cert you have installed has these in reversed order
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

fmail
Normal user
Normal user
Posts: 159
Joined: 2009-01-02 18:21
Location: Denmark, Aarhus

Re: SSL cert. from RapidSSLOnline.

Post by fmail » 2019-03-21 10:32

At HM i load the .key & .crt file.

The .key is my private key and generated at my linux box, it this look like:
-----BEGIN RSA PRIVATE KEY-----
lot of tokendata.....
-----END RSA PRIVATE KEY-----
The .crt is from the SSL provider and look like this, i have only one section (so no chain):
-----BEGIN CERTIFICATE-----
lot of tokendata.....
-----END CERTIFICATE-----

User avatar
mattg
Moderator
Moderator
Posts: 20012
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL cert. from RapidSSLOnline.

Post by mattg » 2019-03-21 10:39

You need a chain (in the crt file)

Just one file that contains The Root / The CA and the server cert
It may have two parts it may have three or four, I'm not familiar with RapidSSL at all

Code: Select all

----BEGIN CERTIFICATE-----
lot of tokendata for CA cert.....
-----END CERTIFICATE-----
----BEGIN CERTIFICATE-----
lot of tokendata for your server cert.....
-----END CERTIFICATE-----
https://knowledge.digicert.com/generali ... O1548.html
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

fmail
Normal user
Normal user
Posts: 159
Joined: 2009-01-02 18:21
Location: Denmark, Aarhus

Re: SSL cert. from RapidSSLOnline.

Post by fmail » 2019-03-21 11:12

When looking at the crt it look ok with no chain?
The last line in the cert are the cert hostname
Please look at the picture.
Attachments
p1.jpg
p1.jpg (14.24 KiB) Viewed 866 times

fmail
Normal user
Normal user
Posts: 159
Joined: 2009-01-02 18:21
Location: Denmark, Aarhus

Re: SSL cert. from RapidSSLOnline. [solved]

Post by fmail » 2019-03-21 12:34

Problem solved the crt file must be like this:

Top: Own Certificate
Next: CACertificate-INTERMEDIATE
Lowest: CACertificate-ROOT
-

Post Reply