后缀:安装程序更正证书链

时间:2017-11-15 10:06:09

标签: ssl certificate postfix

我不能为我的生活弄清楚我在这里做错了什么。 我无法让TLS在我的Postfix服务器上正常工作。

我有来自Thawte的通配符证书,我已将通配符和中间证书放在同一个文件中。这是我的main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
inet_interfaces = all
inet_protocols = ipv4
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.165.199.0/24
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
biff = no

smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/postfix/cert/device.key
smtpd_tls_cert_file = /etc/postfix/cert/device.crt
smtpd_tls_CAfile = /etc/postfix/cert/rootCA.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

这是我的证书文件(我没有粘贴整个证书)。

-----BEGIN CERTIFICATE-----
MIIGsDCCBZigAwIBAgIQSgo15k4YWfFlAngSiZuLETANBgkqhkiG9w0BAQsFADBD
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR0wGwYDVQQDExR0
...........Wildcard certificate............
gjgbXl6MjrVSj6FfDNJFjemtNRyHVEG+pOIE3s2bdxbW0GyKUu4Xv1lhs81AbriG
cCtxINchiAgsWURmK1oq8ebScFpgv30UWEpdkyToAjSbl1wq
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE3DCCA8SgAwIBAgIQPiM0Wu0sClF7Jt7UgB0QqjANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
......Intermediate certificate........
Hi36v6dJog2X9ZbC6WzUzUcLi4oBi9v6z5J1Lt4+p3O1/gNRp0LDx0JrqW++9iDh
jr+fCY7lCOiSk3c+SUScf+l5nf9Lr+A4VzQNXxEyEpKpYYiBpR74oPBFWoZxIIWF
-----END CERTIFICATE-----

当我运行openssl s_client -connect smtp-out.domain.com:587 -starttls smtp

我收到这样的消息:

  

无法获得本地发行人证书

     

无法验证第一个证书

     

证书不受信任

Certificate chain
0 s:/C=SE/ST=State/L=City/O=Company/OU=INC/CN=*.domain.com
   i:/C=US/O=thawte, Inc./CN=thawte SHA256 SSL CA
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3

要使其正常工作,我该怎么办? 显然,我错过了一些东西,但我无法弄清楚是什么。

我也在日志中得到这个:

warning: TLS library problem: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1315:SSL alert number 48:

1 个答案:

答案 0 :(得分:0)

我讨厌回答我自己的问题,但我刚发现this精彩的网站

我使用根证书生成了一个正确的链并使用了它而不是它可以工作。