On Tue, Mar 19, 2024 at 09:45:37PM -0700, Ian Z via Exim-users wrote:
> On Tue, Mar 19, 2024 at 11:40:05PM -0400, Jerry Stuckle via Exim-users wrote:
>
> > I got a free SSL certificate but am having problems implementing it.
> > It came as certificate.crt and private.key. It also contained
> > ca_bundle.crt.
>
> > I point tls_certificate and tls_privatekey to the appropriate files
> > and this works fine. However, without the ca_bundle.crt file MUAs
> > thing this is a self-signed certificate.
>
> > I'm having problems trying to get the ca_bundle.crt part of the
> > whole shebang. I tried concatenating certificate.crt to
> > ca_bundle.crt but that gave me an "invalid certificate" error.
>
> My guess: ca_bundle.crt already contains certificate.crt as a substring,
> i.e. it is what the web world terms "fullchain" certificate. You can check
> this with the naked eye.
Quite unlikely, more typically it would contain the relevant issuing
CAs, but though likely more than just the one or two required.
The OPs problem is the order of concatenation. In PEM "chain" files The
leaf (server) certificate goes first.
Posting output the of the below will help identify just the required certs:
$ openssl x509 -in certificate.crt -noout -subject -issuer
$ openssl crl2pkcs7 -nocrl -certfile ca_bundle.crt |
openssl pkcs7 -print_certs -noout
This will list the issuer/subject pairs of all the certificates, and
perhaps much of the bundle can and should be left out, keeping only the
immediate issuer of the server certificate and perhaps one or two more
layers of intermediate CAs in increasingly less common cases.
--
Viktor.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/