Hi Wietse, It's been a very long time since we communicated.
This from SSL Labs states "self-signed": Path #1: Not trusted (path does not chain to a trusted anchor) 1 Sent by server mcq.sbanetweb.com Fingerprint SHA256: 1b48d54fd173fa980ca0ba8e2bbb5aabce3bbb9faf67bae4f375816155699efe Pin SHA256: D9BrKzFpjkpGhv91bgkZqQIWlqPNIHPHmIhYYwDChGY= RSA 2048 bits (e 65537) / SHA256withRSA 2 Sent by server Not in trust store mcq.sbanetweb.com Self-signed Fingerprint SHA256: 1ff50fe2d898b639ee07e668b4a4acf5c3f878539a24be6edc3cc011991a9db3 Pin SHA256: 2gJ7C4jfxgMQJMF09EznMu8UGd5sdBmQDyPrv5pIcHU= RSA 4096 bits (e 65537) / SHA256withRSA If it is an Intermediate, I refer to my orginal email, "where am I going wrong". Thank you! Wayne -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Wietse Venema Sent: Wednesday, January 19, 2022 1:03 PM To: Wayne Spivak <[email protected]> Cc: [email protected] Subject: Re: TLS returning self-signed cert Wayne Spivak: > My Postfix Server 3.6.2 running on a newly created Fedora 35 is > returning self-signed SSL certs, where none were configured. Why do you believe that this is a self-signed certifcate? Isn't this an issue where the server returns a leaf certificate without intermediate certificates? Wietse > We're using a multi-cert Entrust certificate. All domains on the box > get email from one single mx domain. > > To be clear TLS works, but if I run SSL Labs report it comes back as > Not being Trusted. > > Running CheckTLS.com, this is the error > > Certificate #1 of 1 (sent by MX): > Cert VALIDATION ERROR(S): unable to get local issuer > certificate This may help: What Is An Intermediate Certificate > So email is encrypted but the recipient domain is not verified > ... > TLS successfully started on this server > > I have all files in the same directory, ServerCert.pem (from Entrust), > Bundle2.crt (from Entrust), CA-combines (private key/Server Cert). > > No other file is configured in either Dovecot 2.3.17.1 (476cd46418) > points to the same directory and files. > > The Cert serial number is coming back wrong using SSL Labs, but a web > site (on same server) returns the correct serial number (remember > everything points to the same files) > > I've confirmed the Cert is correct and the private key as well. > > I've tried changing the CAFile to include/not include Server > Certificate, Intermediate, Root, Private Key and either TLS dies, or > it "works", but the above error is obtained. > > I'm at a dead-end as far as researching the error goes. > > Where am I going wrong.. > > > >
