我为我的邮件服务器购买了一个certicifate,并在Postfix中configuration它,如下所示:
smtpd_tls_security_level=may smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_cert_file = /somepath/chain.crt smtpd_tls_key_file = /somepath/myserver.key 我通过连接我的证书和两个中间CA证书,为每个Postfix指令创build了chain.crt 。 (确切地说,我自己的证书,然后COMODORSADomainValidationSecureServerCA.crt ,然后COMODORSAAddTrustCA.crt )根据日志,我的邮件服务器的大多数连接现在encryption,所以一切似乎工作。
但是,当我连接到服务器使用openssl s_client -connect mail.example.com:25 -starttls smtp我得到以下输出,这似乎表明有什么错:
CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- 8< -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 5217 bytes and written 489 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B2736D2B1639153CB8379480ACDBC1F0B1DCC51DE7CC27DA59061740F0186EA1 Session-ID-ctx: Master-Key: 9EE658D6B1835F94D140E7BBF05A5A8960566584A8BC6FF40DD5D038C70127A63BAB580A41BC55DEEA3C031FCC7FA550 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 3600 (seconds) TLS session ticket: 0000 - 09 8a 6d 68 70 0c 64 c0-23 2e fc f2 d4 21 ca bd ..mhp.d.#....!.. 0010 - 0a 15 4f 36 06 a8 ea f9-e2 84 de 18 cf 31 af 77 ..O6.........1.w 0020 - 2a a1 98 d5 f8 df 54 48-82 68 cb c3 91 9b 38 60 *.....TH.h....8` 0030 - dc 2e 18 f4 b9 bd 43 3e-26 cf 80 49 48 bb a4 98 ......C>&..IH... 0040 - bc 94 7d 1e 5f 51 7e 52-d6 ad 7f 8b e5 36 ee 55 ..}._Q~R.....6.U 0050 - 7a bb 15 d3 c2 7f b2 f4-5a 85 a5 80 1b 9e 67 98 z.......Z.....g. 0060 - 3a 2f 5c d1 34 d5 bb 11-c7 8f fc 10 cb c3 b4 cb :/\.4........... 0070 - 49 61 41 ac aa b1 cb eb-6f 7a 22 e5 79 a2 c6 1f IaA.....oz".y... 0080 - 98 25 39 f0 f0 79 b4 ee-95 72 93 04 0f a2 f3 69 .%9..y...r.....i 0090 - 8f 8a 86 c6 8f a5 38 ed-25 ba fc c8 db 6b 9a 8e ......8.%....k.. 00a0 - 13 1e e5 c6 28 98 e4 17-ce 69 d5 c2 aa 1a de 4b ....(....i.....K Compression: 1 (zlib compression) Start Time: 1400131328 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
另外,当运行openssl verify chain.crt我得到相同的错误信息:
chain.crt: OU = Domain Control Validated, OU = PositiveSSL, CN = mail.example.com error 20 at 0 depth lookup:unable to get local issuer certificate
我曾尝试将AddTrustExternalCARoot.crt添加到AddTrustExternalCARoot.crt的末尾,从而使错误消息更改为verify error:num=19:self signed certificate in certificate chain 。 另外,我连接的机器已经安装了这个证书,所以不需要它。
所以我的问题是:有没有我的邮件服务器有问题,或者我只是不正确地使用openssl命令? 我应该在链中包含根证书吗?
这听起来像你已经正确安装,但你的validation步骤是不正确的。 OpenSSL不知道在哪里寻找根证书,除非你明确地告诉它。
尝试openssl s_client -connect mail.example.com:25 -starttls smtp -CApath /etc/ssl/certs代替。 这应该工作。