Opened 5 years ago

Last modified 5 years ago

#9846 assigned Bug/Something is broken

ssl certificate for to be installed in mx1.m.o

Reported by: Owned by:
Priority: High Component: Tech
Keywords: x509 ssl mx1-email Cc: servicios@…, pedrogellert@…
Sensitive: no

Description (last modified by

hola Ross y Dana,

Renewing the x509 certificate I found a difficulty following up the howto in our wiki

cause step 3h talks about files that actually were not delivered by (also named

According to the email received those are:

Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - mail_laneta_apc_org.crt

All of them are already in /etc/ssl/temp

Could you help me figuring out if:

"PositiveSSLCA2.crt" corresponds to mail_laneta_apc_org.crt ?

also, is mail_laneta_apc_org.crt is the "primary certificate" ?

Thanks in advance Enrique

Attachments (2)

warning-ssl-server-certificate.png (33.1 KB) - added by 5 years ago.
ssl-server-certificate.png (50.4 KB) - added by 5 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 5 years ago by

  • Owner set to
  • Status changed from new to assigned

comment:2 Changed 5 years ago by

  • Description modified (diff)

comment:3 Changed 5 years ago by

Hi Enrique,

That documentation is now out of date :-(. After heartbleed, Comodo changed how they deliver certificates. You'll need to include both COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt in the

So you could do:

# cat COMODORSAAddTrustCA.crt >> && cat COMODORSADomainValidationSecureServerCA.crt >>

Then I think you'll have to do:

cat >> /PATH/TO/YOUR/.pem/FILE

That should do it. I'll try to remember to update the documentation.


comment:4 follow-up: Changed 5 years ago by

do you mean this file located in the private folder, right?

cat >> ../private/

comment:5 Changed 5 years ago by

i should try the rest of the process, 3i and so on, right?

comment:6 in reply to: ↑ 4 Changed 5 years ago by

Replying to

do you mean this file located in the private folder, right?

cat >> ../private/

Yep that's what I meant.

Changed 5 years ago by

Changed 5 years ago by

comment:7 Changed 5 years ago by

Ross, i think it is done. Apparently, I get a good handshake report:

0 mx1:~# gnutls-cli --port imaps
Resolving ''...
Connecting to ''...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `OU=Domain Control Validated,OU=PositiveSSL,', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-07-29 00:00:00 UTC', expires `2019-07-28 23:59:59 UTC', SHA-1 fingerprint `9806fd2f4e2d9bac9548a81b0f7a20525bce1a82'
- The hostname in the certificate matches ''.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

- Peer has closed the GNUTLS connection
0 mx1:~#

But, my email client is showing a warning, although the information about the new certificate that server is sending is correct.

(forget what I just wrote)

Now, I'm becoming aware that there was probably a mistake I made when issuing the certificate with the server name instead of


comment:8 Changed 5 years ago by

Norma y Pedro, ¿podrían confirmar si ahora pueden hacer uso del correo como normalmente lo hacen?

tendrán que verificar que su programa está configurado con el servidor de entrada '', conexión SSL o SSL/TLS, puerto 995

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.