Intermediate SSL chains in reverse order

SYSTEM INFORMATION
OS type and version Ubuntu Linux 20.04.3
Webmin version 2.111
Virtualmin version 7.10.0
Related packages SUGGESTED

So, when you have multiple chain certificates, which occured now with alphassl certificates.

Apache wants certificates in following order:

your cert → iterm 1 → interm 2 → root cert

but Postfix wants them:

root cert → interm 2 → interm 1 → your cert.

Currently if you paste multiple certs in SSL CA on the CA Certificate tab, and use it for
other services, everything will work, but Postfix will not work properly
until you reverse order of certificates as explained above.

You can test your chain with sslyze for example

ssluze your-server:port (can be 443), first validate your chain with some tool like:

then run sslyze example.com:443 and then run it on 465 to identify broken chain,
and after re-arranging intermediate chains and restarting postfix try again it will work
and email clients like gmail will be able to use server again.

So this is actually a bug report…

Hmm. Is this about SNI? In main.cf, do you see tls_server_sni_maps and if so, what does it say?

Hi, nothing to do with SNI,

it’s just about SSL and the way how Postfix wants SSL packed when there is more than 1 intermediate…

As explained above, it only worked when sorted in opposite way than softing them for Apache…

The thing is I had to use Alpha SSL which is issued with newest root, so I had to use 3 intermediate certificates insted of 1.

So for any kind of testing purposes it needs more than 1 intermediate, and needs testing on all 3 servers which use them: Apache, Dovecot and Postfix (keep in mind what I had to do to make Postfix work).

Ok, thanks for the update.

Is there consensus that this should be treated as a bug?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.