Dovecot SSL Certificate is not accepted
I have certificates issued from StartSSL, which is a trusted authority for certificates, and my websites work with its certificates with no problems and no complaints from all browsers about any trust issues.
Now I wanted to have the same programmed in Dovecot to have my e-mails received with certified SSL. So I use IMAP to get my mail, say through the address mail.myweb.com. I went to StartSSL, and issued a certificate for that subdomain (which is what I always do to obtain for any subdomain I wanna have with SSL through the Apache server).
Now I took that certificate, and defined that to be the certificate I wanna use for that domain name (using SNI) on Dovecot by adding the following to dovecot.conf
local_name mail.myweb.com {
ssl_cert = </path/to/certificate/ssl.crt
ssl_key = </path/to/privatekey/priv.key
}
While this process works perfectly fine on an Apache server, and I get my browsers happy with a green padlock with no signature problems on my certificates, thunderbird insisted that I confirm this certificate as an exception.
I confirmed that the certificate thunderbird is receiving is the correct one by looking into the details of the certificate.
What could the reason be? Is thunderbird just paranoid and I must buy a certificate?
If you require any additional information, please let me know.
Thank you.
You're probably missing the intermediate certificate.
AFAIK Dovecot does not have a chain certificate option as you have in for instance Apache, you need to concatenate the intermediate certificate into a single file with your public certificate:
- The signed certificate for your domain
- Intermediate CA cert
- Root CA cert
Get correct intermediate certificate from http://www.startssl.com/certs/ (possibly sub.class1.server.ca.pem) and then for instance:
cp /path/to/certificate/ssl.crt dovecot.crt
cat sub.class1.server.ca.pem >> dovecot.crt