Certificado intermediário para Vamos Criptografar

3

Eu configurei Vamos Criptografar a criptografia no meu servidor, e depois disso um tutorial para configurar um servidor de e-mail (dovecot e postfix) no mesmo servidor (servidor ubuntu 16.04 com nginx). No processo, também criei dois endereços de email para esse domínio, que eu esperava usar por meio do Mail Client Mail. No entanto, recebo o erro "não é possível verificar o nome ou a senha da conta" e no link recebo o seguinte erro :

[001.075]       Cert NOT VALIDATED: unable to get local issuer certificate
[001.075]       this may help: What Is An Intermediate Certificate
[001.075]       So email is encrypted but the domain is not verified
[001.075]   ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075]       Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076]       So email is encrypted but the host is not verified

Todo o relatório:

seconds     test stage and result
[000.123]       Connected to server
[000.437]   <-- 220 ubuntu-512mb-fra1-01.mysite.com ESMTP Postfix (Ubuntu)
[000.437]       We are allowed to connect
[000.438]   --> EHLO checktls.com
[000.558]   <-- 250-ubuntu-512mb-fra1-01.mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.558]       We can use this server
[000.559]       TLS is an option on this server
[000.559]   --> STARTTLS
[000.679]   <-- 220 2.0.0 Ready to start TLS
[000.680]       STARTTLS command works on this server
[000.947]   ssl : new ctx 140396633279344
: start handshake
: ssl handshake not started
: not using SNI because hostname is unknown
: set socket to non-blocking to enforce timeout=30
: call Net::SSLeay::connect
: done Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: call Net::SSLeay::connect
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: ok=0 [0] /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3/CN=mysite.com
: done Net::SSLeay::connect -> -1
: ssl handshake in progress
: waiting for fd to become ready: SSL wants a read first
: socket ready, retrying connect
: call Net::SSLeay::connect
: done Net::SSLeay::connect -> 1
: ssl handshake done
[000.949]       SSLVersion in use: TLSv1.2
[000.949]       Cipher in use: ECDHE-RSA-AES128-SHA256
[000.950]       Connection converted to SSL
[000.979]       
Certificate 1 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                      
[001.005]       
Certificate 2 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                        
[001.074]       
Certificate 3 of 3 in chain:
Certificate:
  Data:
    Version: 3 (0x2)
    Serial Number:
      03:bf:0b:67:c3:bd:f6:98:ed:66:b4:86:11:5c:44:22:e2:1b
  Signature Algorithm: sha256WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = Let's Encrypt
      commonName        = Let's Encrypt Authority X3
    Validity
      Not Before: Oct 29 10:33:00 2016 GMT
      Not After : Jan 27 10:33:00 2017 GMT
    Subject:
      commonName        = mysite.com
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (2048 bit)
        Modulus:
          00:dd:1e:5b:b8:0e:b6:06:f3:b5:8d:55:42:b8:d1:
          f5:91:fd:74:03:f5:f5:5d:6e:8d:84:47:19:d7:28:
          77:3d:47:33:50:bd:70:7a:bf:bf:97:fe:9a:bb:af:
          31:71:db:d5:8b:dc:5a:22:11:4a:b9:c0:c7:2c:ba:
          22:11:52:3d:f8:35:0b:f3:d8:f5:c5:a3:5d:0f:70:
          df:d6:02:38:dd:a7:43:22:b2:ae:96:7a:a6:17:de:
          70:89:e3:74:16:c6:ee:eb:04:37:99:44:f0:2c:10:
          95:21:20:75:f9:b3:c8:d2:4a:c0:04:97:6d:fa:82:
          10:a5:e7:9a:37:82:95:99:e3:d4:c2:65:1a:d0:60:
          ef:18:8a:39:6c:0a:13:9e:00:a4:bd:57:03:55:ea:
          11:33:61:29:41:99:32:9b:85:7d:76:b8:b3:99:46:
          75:33:bf:de:10:52:ce:32:69:9a:36:3d:8b:5b:d1:
          67:ff:66:ef:43:ea:8f:07:77:41:55:f5:f6:ba:6d:
          e2:8f:4e:04:e4:c7:f1:fe:3b:6c:9c:8c:b2:b5:a8:
          24:57:c8:50:eb:37:6c:ea:a4:59:d5:17:dd:31:c3:
          ee:16:df:a4:3a:56:25:ea:38:3c:ab:d2:7f:2b:73:
          7d:2e:d5:ca:ff:b9:e7:d2:d3:18:6b:60:14:f9:e8:
          03:45
        Exponent: 65537 (0x10001)
    X509v3 extensions:
      X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
      X509v3 Extended Key Usage: 
        TLS Web Server Authentication, TLS Web Client Authentication
      X509v3 Basic Constraints: critical
        CA:FALSE
      X509v3 Subject Key Identifier: 
        D9:81:23:A5:47:07:33:95:ED:67:F4:1C:79:48:64:EF:64:93:31:96
      X509v3 Authority Key Identifier: 
        keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
      Authority Information Access: 
        OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
        CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
      X509v3 Subject Alternative Name: 
        DNS:mysite.com, DNS:www.mysite.com
      X509v3 Certificate Policies: 
        Policy: 2.23.140.1.2.1
        Policy: 1.3.6.1.4.1.44947.1.1.1
          CPS: http://cps.letsencrypt.org
          User Notice:
          Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
  Signature Algorithm: sha256WithRSAEncryption
     75:54:a8:af:38:1e:79:64:5c:89:b7:43:5f:81:fd:20:cf:83:
     41:f4:f3:4c:53:45:5c:4b:4f:52:41:22:59:76:14:eb:41:30:
     46:d2:2a:0e:e3:f8:0a:5b:03:fb:a1:77:b5:95:05:b9:cd:2e:
     4a:d7:10:c1:d4:5d:fc:92:fa:30:c3:52:e4:35:02:f8:aa:c2:
     ea:9a:a5:81:9f:1e:82:ae:d4:0f:d1:ff:ab:a2:56:66:3c:7d:
     6c:55:87:c3:88:73:03:1a:c3:35:50:0a:7c:5d:c2:e6:fe:85:
     80:29:8b:57:a2:42:4f:db:b9:d0:2e:5f:27:fb:11:bb:cf:86:
     d5:97:17:2d:80:85:11:a1:27:c8:b9:98:fd:3c:a0:6d:d8:b9:
     54:28:1c:70:ea:6c:04:bd:01:26:0c:ac:05:7d:0e:8b:cf:30:
     10:a3:06:fa:62:86:35:a4:85:bb:c8:bc:c1:d7:b1:24:a4:95:
     cb:9b:51:88:62:02:42:d0:43:b4:85:59:57:2c:19:4c:29:6c:
     56:5b:f5:8d:b2:08:29:05:b1:61:5a:4b:91:dc:d0:51:8b:a8:
     31:dc:ee:84:0a:e6:2f:84:eb:8a:f8:db:b7:ba:40:ce:12:5a:
     af:c3:26:a3:27:d2:c1:d6:48:80:d2:2a:dc:82:70:8c:0e:04:
     36:7e:d3:1e
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----                                                                                                                          
[001.075]       Cert NOT VALIDATED: unable to get local issuer certificate
[001.075]       this may help: What Is An Intermediate Certificate
[001.075]       So email is encrypted but the domain is not verified
[001.075]   ssl : scheme=ldap cert=140396633026752
: identity=mail.mysite.com cn=mysite.com alt=2 mysite.com 2 www.mysite.com
[001.075]       Cert Hostname DOES NOT VERIFY (mail.mysite.com != mysite.com)
[001.076]       So email is encrypted but the host is not verified
[001.076]   ~~> EHLO checktls.com
[001.077]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial 'EHLO checktls.com
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 19:19 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.197]   <~~ 250-ubuntu-512mb-fra1-01.mysite.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.198]       TLS successfully started on this server
[001.198]   ~~> MAIL FROM:<[email protected]>
[001.199]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial 'MAIL FROM: 
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.332]   <~~ 250 2.1.0 Ok
[001.333]       Sender is OK
[001.333]   ~~> RCPT TO:<[email protected]>
[001.335]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial 'RCPT TO: 
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 31:31 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.470]   <~~ 250 2.1.5 Ok
[001.471]       Recipient OK, E-mail address proofed
[001.471]   ~~> QUIT
[001.473]   ssl write_all VM at entry=vm_unknown
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 554.
partial 'QUIT
'
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 557.
written so far 6:6 bytes (VM=vm_unknown)
at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/ssl_write_all.al) line 676.
[001.592]   <~~ 221 2.0.0 Bye
[001.595]   ssl : free ctx 140396633279344 open=140396633279344
: free ctx 140396633279344 callback

Tanto quanto eu posso dizer, o problema é com a implementação do certificado. Que passos posso dar para resolver este problema?

    
por user3026192 31.10.2016 / 16:09

2 respostas

2

Olhando para

not using SNI because hostname is unknown

depois disso, vendo o nome do host para o qual a conexão é testada para

ubuntu-512mb-fra1-01.mysite.com

e

commonName = mysite.com

e

**X509v3 Subject Alternative Name: 
    DNS:mysite.com, DNS:www.mysite.com** 

.... Eu notei : CN e o nome do host do servidor de conexão são diferentes e

Em segundo lugar todos os certificados da cadeia são os mesmos

     -----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISA78LZ8O99pjtZrSGEVxEIuIbMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjEwMjkxMDMzMDBaFw0x
NzAxMjcxMDMzMDBaMBcxFTATBgNVBAMTDGhleW1vbmRheS5zZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN0eW7gOtgbztY1VQrjR9ZH9dAP19V1ujYRH
Gdcodz1HM1C9cHq/v5f+mruvMXHb1YvcWiIRSrnAxyy6IhFSPfg1C/PY9cWjXQ9w
39YCON2nQyKyrpZ6phfecInjdBbG7usEN5lE8CwQlSEgdfmzyNJKwASXbfqCEKXn
mjeClZnj1MJlGtBg7xiKOWwKE54ApL1XA1XqETNhKUGZMpuFfXa4s5lGdTO/3hBS
zjJpmjY9i1vRZ/9m70Pqjwd3QVX19rpt4o9OBOTH8f47bJyMsrWoJFfIUOs3bOqk
WdUX3THD7hbfpDpWJeo4PKvSfytzfS7Vyv+559LTGGtgFPnoA0UCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2YEjpUcHM5XtZ/QceUhk72STMZYw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMaGV5bW9uZGF5LnNlghB3d3cuaGV5bW9uZGF5LnNlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAHVUqK84HnlkXIm3Q1+B
/SDPg0H080xTRVxLT1JBIll2FOtBMEbSKg7j+ApbA/uhd7WVBbnNLkrXEMHUXfyS
+jDDUuQ1AviqwuqapYGfHoKu1A/R/6uiVmY8fWxVh8OIcwMawzVQCnxdwub+hYAp
i1eiQk/budAuXyf7EbvPhtWXFy2AhRGhJ8i5mP08oG3YuVQoHHDqbAS9ASYMrAV9
DovPMBCjBvpihjWkhbvIvMHXsSSklcubUYhiAkLQQ7SFWVcsGUwpbFZb9Y2yCCkF
sWFaS5Hc0FGLqDHc7oQK5i+E64r427e6QM4SWq/DJqMn0sHWSIDSKtyCcIwOBDZ+
0x4=
-----END CERTIFICATE-----

E é por isso que a validação está falhando.

    
por 31.10.2016 / 17:37
1

Meu nome de host é vegas e eu uso certificados de LE como este:

Solicitar Cert do LE:

/opt/letsencrypt/letsencrypt-auto certonly --agree-tos --email [email protected] --keep-until-expiring --webroot -w /usr/share/nginx/html --rsa-key-size 4096 -d vegas.jacobdevans.com --renew-by-default

Conteúdo de /etc/postfix/main.cf | grep vegas

smtp_tls_cert_file = /etc/letsencrypt/live/vegas.jacobdevans.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/vegas.jacobdevans.com/privkey.pem

O SNI não é suportado no postfix (somente https), então eu dedicaria um único nome de host ao seu mta ou o adicionaria a um SANs Cert.

Sempre use fullchain.pem.

    
por 31.10.2016 / 17:47