18

I have requested a new class 1 server certificate from StartSSL today and it is working great with Apache and Dovecot + (Thunderbird/Outlook/OpenXChange ), but when I try to connect to the mail server using an Apple client (Mac/iPhone), I get an SSL error message.

I have chained the

  • 2_Server Certificate
  • 1_Intermediate Certificate
  • Root Certificate

in this order and used the resulting file as ssl_cert in dovecot. The only other two SSL settings I have are ssl=required and ssl_key = </path

Has anybody had this issue before and came up with a solution?

Community
  • 1
Max
  • 183
  • 1
  • 4

1 Answers1

39

Your problem is your CA: StartSSL.

Their certificates are nothing but a waste of electrons since this year, because Apple, Google and Mozilla don't trust them anymore out of the box and for sure others will follow.

https://linustechtips.com/main/topic/688200-apple-google-and-mozilla-disavow-wosign-and-startcom-certificates/

Marc Stürmer
  • 1,904
  • 13
  • 15
  • 10
    So something like https://letsencrypt.org/ would be a better substitute, despite their certs being limited to 90 days. – Criggie Jan 30 '17 at 02:11
  • 1
    Thanks! I already changed all certificates to letsencrypt and it works like a charm. Hopefully Apple won't untrust them too in one of the next updates. Regarding the 90 days expiration I will create an automation script that will run every 2 months or so. – Max Jan 30 '17 at 02:36
  • 14
    @Max Let's Encrypt is quite unlikely to engage in the sort of fraud we saw out of StartCom/WoSign. – Michael Hampton Jan 30 '17 at 03:07
  • 1
    @MichaelHampton Nobody is above suspicion. We can certainly hope Let's Encrypt will stay honest, but I wouldn't assign likelihoods to this. – DepressedDaniel Jan 30 '17 at 03:14
  • 15
    @DepressedDaniel LE has every indication of operating as a reputable, positive actor. StartSSL was problematic for years before getting caught, including stuff like charging for Heartbleed revocations. It's entirely possible to assign *likelihoods*. – ceejayoz Jan 30 '17 at 03:24
  • 1
    @Max Let's Encrypt is designed to be automated. (I haven't delved into details.) – user253751 Jan 30 '17 at 09:56
  • 5
    @Ángel Old StartSSL, you mean? Fraud started under WoSign. Shitty practices like charging for the Heartbleed revocations were before that, though. (Heartbleed hit in 2014; WoSign secretly bought them in 2015) – ceejayoz Jan 30 '17 at 12:57
  • Has MS said if they're planning to yank the offending CAs from Windows certificate store? At this point it seems odd for them not to as with Apple, Google, and Mozilla (among others) detrusting them no legit business will be able to use them any longer. But that doesn't protect IE/Edge users from malicious entities using them. – Dan Is Fiddling By Firelight Jan 30 '17 at 15:56
  • (reposting the comment with the fixed name) @ceejayoz that [charging for the Heartbleed revocations] was the old StartSSL, the fraudulent issuances only appeared after it was (silently) acquired by WoSign. – Ángel Jan 30 '17 at 16:56
  • 1
    @Ángel Yes, and I'm saying that's indicative of StartSSL having a long history of bad behavior even before the acquisition. – ceejayoz Jan 30 '17 at 16:58
  • 3
    We are staying off topic a bit, but... The charging for heartbleed revocations is quite different: bad in terms of customer care but not a breach of anything (when you sign up the cost of revocations isn't actively hidden and heartbleed wasn't any fault of StartSSLs). The more recent behaviour that resulted in action by the browser makers was a breach (or multiple breaches) of the trust model of SSL – David Spillett Jan 30 '17 at 17:15
  • @Max better than renewing them every 2 months would be to check when they expire and then renew them in time. This way Let's Encrypt has a smaller load on their servers. I can recommend this script for doing that. It also stages the certificate, so your clients won't run into problems when their system clock is off. https://github.com/albocc/LetsEncrypt-Smart-Renewal-with-Staging. The script requires a bit of preparation but works great for me. – comfreak Jan 30 '17 at 18:03