Usually with LE, the filename is fullchain.pem, not chain.pem. Can you please doublecheck this?
Also, try openssl s_client -connect hostname:143 -starttls imap Aki > On February 17, 2017 at 10:31 PM Bastian Sebode <[email protected]> > wrote: > > > Hey Robert, > > thanks for your reply. > > Am 17.02.2017 um 19:28 schrieb Robert L Mathews: > > Looking at your dovecot -n, you're using two different files here: > > > > ssl_cert = </etc/ssl/sebode-online.de/chain.pem > > ssl_key = </etc/ssl/sebode-online.de/key.pem > > > > Are you sure these two files match, and contain the right things in the > > right order? > > > Yes, unfortunately I'm sure that everything has the right order. As you > can see in the trace, both certificates (mine and the intermediate) get > transferred to the client on connection. > > > We use a single PEM file as input for both of these parameters, and that > > PEM file contains, in this order: > > > > -----BEGIN RSA PRIVATE KEY----- > > ... > > -----BEGIN CERTIFICATE----- > > ... > > -----BEGIN CERTIFICATE----- > > > > ... where the first BEGIN CERTIFICATE is the specific hostname one, and > > the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate > > certificate that ends with "DNFu0Qg==". > > > Tried that, but without success. But your usage doesn't seem right to > me. The parameters are not called ssl_cert and ssl_key for nothing. ;-) > Normally you don't want your private key to have any other permissions > than 600. > > > You're also manually specifying these non-default parameters: > > > > ssl_cipher_list = ... > > ssl_prefer_server_ciphers = yes > > ssl_protocols = !SSLv2 !SSLv3 > > > > For testing, I would simplify. Does it work without any of those three > > things set? > > > Tried this before. I set all SSL specific settings exactly like my > friend where it works without a problem. But it doesn't work for me. > > Thanks anyway for your effort! > Bastian > -- > Bastian Sebode > Fachinformatiker Systemintegration > > LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig > Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de > > LINET in den sozialen Netzwerken: > www.twitter.com/linetservices | www.facebook.com/linetservices > Wissenswertes aus der IT-Welt: www.linet-services.de/blog/ > > Geschäftsführung: Timo Springmann, Mirko Savic und Moritz Bunkus > HR B 9170 Amtsgericht Braunschweig > > USt-IdNr. DE 259 526 516
