Client-side Let's Encrypt certificate validation for Exim

[Protected]

I'm using Let's Encrypt certificates with Exim by pointing the certificate and key options to the files in /usr/local/directadmin/data/users/.../domains/...

(And adding mail to the access group)

Generally this works fine, but some clients are unable to validate the certificate down to a root CA for some reason. I'm no expert, but I googled the issue and it appears that for Let's Encrypt compatibility with old clients, it would be advisable to send the full certificate chain together (by listing the chain certificates below mine).

I'd like to keep benefiting from the automation and DA integration of the current system. Would it be possible for DA to automatically generate a file containing the full chain every time a Let's Encrypt certificate is issued?

 

[adam12]

Does the $domain.cert.combined file not present what you want? As far as I can tell, it includes the LetsEncrypt CACert at the bottom of it.

Barring that, what about using the letsencrypt_post.sh hook to build the full certificate chain? I never tested this, but something like:

#!/bin/sh
base="/usr/local/directadmin/data/users/$username/domains"
cat $base/$domain.{cert,cacert} > $base/$domain.pem

 

[Protected]

You are absolutely right. I don't seem to have that for all users (is it a "recent" feature?) so when I looked I didn't see it. Thanks!

 

[zEitEr]

The post script is available since Directadmin Version 1.501

Actually Directadmin already creates combined certs for users domains:

# ls -1 /usr/local/directadmin/data/users/*/domains/*.cert.combined


/usr/local/directadmin/data/users/user1/domains/domain1.net.cert.combined
/usr/local/directadmin/data/users/user2/domains/domain2.net.cert.combined
/usr/local/directadmin/data/users/user3/domains/domain3.net.cert.combined
/usr/local/directadmin/data/users/user4/domains/domain4.net.cert.combined
/usr/local/directadmin/data/users/user5/domains/domain5.net.cert.combined
...

So it should NOT be an issue at all.

And official Directadmin support of Exim SNI is still beta as of yet: https://www.directadmin.com/features.php?id=1911

 

[Protected]

It's .combined I was replying about. Re-read adam12's reply!

SNI support unfortunately doesn't matter for me until gmail starts using it.

 

[zEitEr]

With NGINX combined certs exist at least since Version 1.451: https://www.directadmin.com/features.php?id=1574

SNI support unfortunately doesn't matter for me until gmail starts using it.

Well... how do you run users certs with Exim then?

I'm using Let's Encrypt certificates with Exim by pointing the certificate and key options to the files in /usr/local/directadmin/data/users/.../domains/...

Are the all users on your server having their own IP?

Nevertheless the Exim SNI was mentioned here because it's the only official way to run Exim with users certs. If you run Exim with users certs without SNI, it would mean that you have a customization, and then you should make sure that your custom config reads combined certs, as they should exists... unless you use 3rd party solution for managing Let's Ecnrypt certs.