2

I'm having some problems building a certificate chain. My certificate is a class 2 certificate issued by StartSSL.

Here’s what I have put in my ssl.crt:

my cert
https://www.startssl.com/certs/ca.pem
https://www.startssl.com/certs/class2/sha1/pem/sub.class2.client.sha1.ca.pem
https://www.startssl.com/certs/class2/sha1/pem/sub.class2.server.sha1.ca.pem

If I run a openssl s_client -connect domain.com:993 I get:

Verify return code: 19 (self signed certificate in certificate chain)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready

And if I try to add my account to Gmail here's what I get:

"Missing +OK response upon connecting to the server: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot (Ubuntu) ready."

Why does it say it is a self-signed cert?

MultiformeIngegno
  • 1,687
  • 9
  • 26
  • 31

2 Answers2

2

At some level, a self-signed certificate will always appear in a certificate chain - most notably the case with CA certs, which are by definition self-signed, but are trusted. You are seeing that message because the StartSSL CA cert is self-signed.

Your chain file is also wrong - you don't need the client certificates. The file should be in the following order, from the top of the file to the bottom, links are to StartSSL's equivalent cert, assuming class 2 validation (documentation is here):

  1. Private key (optional)
  2. Your Public certificate
  3. Class 2 Intermediate Certificate
  4. Root CA certificate

Your error could be down to using the wrong port, as discussed here. For reference, port 995 is used for POP SSL connections, port 993 is used for IMAP SSL (reference).

Craig Watson
  • 9,575
  • 3
  • 32
  • 47
  • 1
    No. You need to fix your certificate chain file. – Craig Watson May 11 '15 at 15:54
  • 1
    The root certificate should be in the client itself and starting from this trust anchor it will built the trust chain using the intermediate certificates until it reaches the leaf certificate. Thus the root certificate itself does not need to be including in the chain send by the server. While mostly ignored by the client there might be cases where including the root certificate might even cause problems, so it is better to leave it out. – Steffen Ullrich May 11 '15 at 15:59
  • @SteffenUllrich thanks - never knew of issues with including the root CA. Have edited my answer to include references to port issues which have the same resulting error. – Craig Watson May 11 '15 at 16:01
0

If you are trying to configure Gmail access to some 3rd party pop3 account, then make sure you use port 995 if it's imap, then it's 993.

To make sure your SSL is installed and working, you can use openssl with following command:

openssl s_client -showcerts -connect  mail.yourserver.com:995

And if everything is OK, there won't be any error messages displayed by openssl.

Aleksandar Pavić
  • 412
  • 2
  • 8
  • 18