Промежуточный сертификат для Let's Encrypt
Я установил шифрование Let's Encrypt на своем сервере, а затем пошло руководство по настройке почтового сервера (dovecot и postfix) на том же сервере (сервер ubuntu 16.04 с nginx). В процессе я также создал два адреса электронной почты для этого домена, которые я надеялся использовать через почтовый клиент Mail. Однако я получаю сообщение об ошибке «Не удается проверить имя или пароль учетной записи», и на http://www.checktls.com/perl/TestReceiver.pl я получаю следующую ошибку:
[001.075] Cert NOT VALIDATED: unable to get local issuer certificate
[001.075] this may help: What Is An Intermediate Certificate
[001.075] So email is encrypted but the domain is not verified
[001.075] ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075] Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076] So email is encrypted but the host is not verified
Весь отчет:
seconds test stage and result
[000.123] Connected to server
[000.437] <-- 220 ubuntu-512mb-fra1-01.mysite.com ESMTP Postfix (Ubuntu)
[000.437] We are allowed to connect
[000.438] --> EHLO checktls.com
[000.558] <-- 250-ubuntu-512mb-fra1-01.mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.558] We can use this server
[000.559] TLS is an option on this server
[000.559] --> STARTTLS
[000.679] <-- 220 2.0.0 Ready to start TLS
[000.680] STARTTLS command works on this server
[000.947] ssl : new ctx 140396633279344
: start handshake
: ssl handshake not started
: not using SNI because hostname is unknown
: set socket to non-blocking to enforce timeout=30
: call Net::SSLeay::connect
: done Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: call Net::SSLeay::connect
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: done Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: call Net::SSLeay::connect
: done Net::SSLeay::connect -> 1
: ssl handshake done
[000.949] SSLVersion in use: TLSv1.2
[000.949] Cipher in use: ECDHE-RSA-AES128-SHA256
[000.950] Connection converted to SSL
[000.979]
Certificate 1 of 3 in chain:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
Signature Algorithm: sha256WithRSAEncryption
Issuer:
countryName = US
organizationName = Let's Encrypt
commonName = Let's Encrypt Authority X3
Validity
Not Before: Oct 29 10:33:00 2016 GMT
Not After : Jan 27 10:33:00 2017 GMT
Subject:
commonName = mysite.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
03:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:mysite.com, DNS:www.mysite.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----
[001.005]
Certificate 2 of 3 in chain:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
Signature Algorithm: sha256WithRSAEncryption
Issuer:
countryName = US
organizationName = Let's Encrypt
commonName = Let's Encrypt Authority X3
Validity
Not Before: Oct 29 10:33:00 2016 GMT
Not After : Jan 27 10:33:00 2017 GMT
Subject:
commonName = mysite.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
03:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:mysite.com, DNS:www.mysite.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----
[001.074]
Certificate 3 of 3 in chain:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
Signature Algorithm: sha256WithRSAEncryption
Issuer:
countryName = US
organizationName = Let's Encrypt
commonName = Let's Encrypt Authority X3
Validity
Not Before: Oct 29 10:33:00 2016 GMT
Not After : Jan 27 10:33:00 2017 GMT
Subject:
commonName = mysite.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
03:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:mysite.com, DNS:www.mysite.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----
[001.075] Cert NOT VALIDATED: unable to get local issuer certificate
[001.075] this may help: What Is An Intermediate Certificate
[001.075] So email is encrypted but the domain is not verified
[001.075] ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075] Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076] So email is encrypted but the host is not verified
[001.076] ~~> EHLO checktls.com
[001.077] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `EHLO checktls.com
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 19:19 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.197] <~~ 250-ubuntu-512mb-fra1-01.mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.198] TLS successfully started on this server
[001.198] ~~> MAIL FROM:<test@checktls.com>
[001.199] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `MAIL FROM:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.332] <~~ 250 2.1.0 Ok
[001.333] Sender is OK
[001.333] ~~> RCPT TO:<myuser@mysite.com>
[001.335] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `RCPT TO:
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.470] <~~ 250 2.1.5 Ok
[001.471] Recipient OK, E-mail address proofed
[001.471] ~~> QUIT
[001.473] ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial `QUIT
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 6:6 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.592] <~~ 221 2.0.0 Bye
[001.595] ssl : free ctx 140396633279344 open=140396633279344
: free ctx 140396633279344 callback
Насколько я могу судить, проблема в реализация сертификата. Что я могу предпринять для решения этой проблемы?
2
задан user3026192
31 October 2016 в 17:27
Ссылка
2 ответа
Глядя на
, не использующий SNI, потому что имя хоста неизвестно
, после этого вижу имя хоста, с которым проверяется соединение с
ubuntu-512mb-fra1-01 .mysite.com
и
commonName = mysite.com
и
**X509v3 Subject Alternative Name:
DNS:mysite.com, DNS:www.mysite.com**
.... Я заметил : CN и имя хоста подключенного сервера разные и
Во-вторых ] все сертификаты в цепочке одинаковые
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----
И поэтому проверка не выполняется.
2
Моё имя хоста - vegas, и я использую такие сертификаты LE:
Запросить сертификат от LE:
/opt/letsencrypt/letsencrypt-auto certonly --agree-tos --email letsencrypt@jacobdevans.com --keep-until-expiring --webroot -w /usr/share/nginx/html --rsa-key-size 4096 -d vegas.jacobdevans.com --renew-by-default
Содержание /etc/postfix/main.cf | grep vegas
smtp_tls_cert_file = /etc/letsencrypt/live/vegas.jacobdevans.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/vegas.jacobdevans.com/privkey.pem
SNI не поддерживается в postfix (только https), поэтому я бы выделил одно имя хоста вашему mta или добавил его в сертификат SANs.
Всегда используйте fullchain.pem.
1