Ssl
帶有 Comodo (PostivieSSL) 的 Postfix SSL 證書 - “未知授權”
我的郵件伺服器執行 postfix/dovecot 設置時遇到問題,主要是當我執行各種安全測試時,我被告知無法驗證我的證書,請參見此處:https ://ssl-tools.net/mailservers/布萊斯福德.xyz
我可用的證書和相關文件(根據https://brailsford.xyz有效)是:
- AddTrustExternalCARoot.crt
- brailsford_xyz.crt
- COMODORSAAddTrustCA.crt
- COMODORSADomainValidationSecureServerCA.crt
我也有我的 crt 密鑰文件 brailsford_xyz.key
我在後綴中的設置是:
smtpd_tls_cert_file=/etc/ssl/certs/postfixchain.crt smtpd_tls_key_file=/etc/ssl/private/brailsford.key smtpd_tls_CAfile=/etc/ssl/certs/COMODORSADomainValidationSecureServerCA.crt smtpd_use_tls=yes
後綴鍊是前面三個證書的組合,順序如下:
- brailsford_xyz.crt
- COMODORSADomainValidationSecureServerCA.crt
- AddTrustExternalCARoot.crt
誰能建議我做錯了什麼以及如何糾正它?
您的 SSL 證書鏈似乎不完整(或者說缺少連結)。查看
openssl s_client
當我連接到您的郵件伺服器時返回的內容:$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -starttls smtp -connect brailsford.xyz:587 CONNECTED(00000003) depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=brailsford.xyz i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root ---
如您所見,頒發者 (
i
) 為“/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA 證書頒發機構”的證書,但鏈不包含頒發的證書由受信任的 CA(或進一步的中間 CA)發送給該主題。據我所知,您至少缺少此證書(作為您鏈中的第三個連結):https ://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/966/108/中級 1-sha-2-comodo-rsa-certification-authority
即序列號 27:66:ee:56:eb:49:f3:8e:ab:d7:70:a2:fc:84:de:22 和
Subject: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority