postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: ECDSA chain cert not working

ECDSA chain cert not working

From: SW <postfix_at_nospam>
Date: Mon May 12 2014 - 15:43:27 GMT
To: postfix-users@postfix.org

Yesterday I had my SSL certificate re-issued. I now have two
certificates for the same domain. One has an RSA signature and the new
one I received yesterday uses ECDSA. I enabled the ECDSA certificate in
Dovecot and Apache and those services are working great.

In Postfix I have enabled two certificates (RSA and ECDSA). To enable
the ECDSA cert I added the following to my main.cf:

<https://forums.freebsd.org/viewtopic.php?f=43&t=46394#>
    |smtpd_tls_eccert_file =
    /usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
    smtpd_tls_eckey_file =
    /usr/local/openssl/certs/mail.domain.com.ecdsa.key
    |

When I received the ECDSA cert from Comodo I had the following files:

  * AddTrustExternalCARoot.crt
  * COMODOECCAddTrustCA.crt
  * COMODOECCDomainValidationSecureServerCA.crt
  * mail.domain.com.crt

To create the chained file for use in Postfix I ran:
|cat mail.domain.com.crt COMODOECCDomainValidationSecureServerCA.crt
COMODOECCAddTrustCA.crt > mail.domain.com.chained.postfix.ecdsa.crt|

The problem is, when I restart postfix and test with:
|openssl s_client -connect mail.domain.com:25 -crlf -starttls smtp
-CAfile /usr/local/openssl/certs/AddTrustExternalCARoot.crt|

it says:

<https://forums.freebsd.org/viewtopic.php?f=43&t=46394#>
    |CONNECTED(00000003)
    depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
    mail.domain.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
    mail.domain.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
    mail.domain.com
    verify error:num=21:unable to verify the first certificate
    verify return:1

    Certificate chain
      0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.domain.com
        i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
    Limited/CN=COMODO RSA Domain Validation Secure Server CA
      1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
    Limited/CN=COMODO ECC Domain Validation Secure Server CA
        i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
    Limited/CN=COMODO ECC Certification Authority
      2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
    Limited/CN=COMODO ECC Certification Authority
        i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP
    Network/CN=AddTrust External CA Root

    ....

        Verify return code: 21 (unable to verify the first certificate)
    |

If I comment out:

<https://forums.freebsd.org/viewtopic.php?f=43&t=46394#>
    |#smtpd_tls_eccert_file =
    /usr/local/openssl/certs/mail.domain.com.chained.postfix.ecdsa.crt
    #smtpd_tls_eckey_file =
    /usr/local/openssl/certs/mail.domain.com.ecdsa.key
    |

and restart Postfix agan and run another OpenSSL test it is all fine
with the RSA cert:

<https://forums.freebsd.org/viewtopic.php?f=43&t=46394#>
    |Verify return code: 0 (ok)
    |

So the question is, how do I get this new ECDSA certificate to work in
Postfix and why doesn't it like the chain file I have created? It looks
like its using the RSA certificate in the chain for the ECDSA
certificate which is confusing! In case anyone's wondering, Postfix does
support running more than one certificate at once. See here:
http://postfix.cs.utah.edu/TLS_README.html.

    RSA, DSA and ECDSA (Postfix ? 2.6) certificates are supported. You
    can configure all three at the same time, in which case the cipher
    used determines which certificate is presented.

I am running the latest version of Postfix and OpenSSL on FreeBSD 10-STABLE

Any ideas? My Dovecot and Apache ECDSA certifcate and chain verify just
fine as does my chain file used in Postfix with my RSA certificate. Its
just the ECDSA one in Postfix I am battling with.

I would appreciate any help!