nickt
By:
nickt

SSL "root certificate not trusted" Ubuntu 12.04 x64, Apache, iRedMail

November 5, 2013 5.7k views
So, I installed iRedMail successfully following this tutorial: https://digitalocean.com/community/articles/how-to-install-iredmail-on-ubuntu-12-04-x64 I also installed a RapidSSL certificate and everything works great when pull up the site in my browser (cognizemail.co). And this certificate checker says it's installed correctly: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 I can send and receive mail just fine, but the issue I'm having is that I have to make a security exception every time I connect or set up an account in mail (OS X). It comes up saying the certificate location/province is GuangDong, China. WTF? That's not the location I specified when I configured the certificate. screenshot: http://cognizemail.co/mail.png It seems to do this regardless of whether I use the www. This has been driving me nuts! Does anyone have an idea of what could be going on here? Thanks :) Nick
6 Answers
Do you have RapidSSL's ca-bundle configured in apache?
I put cognizemail.co.crt, cognizemail.key, intermediate.crt, and RapidSSL_CA_bundle.pem in /etc/ssl

I have these lines in /etc/apache2/sites-available/default-ssl ...
SSLEngine on
SSLProtocol all
SSLCertificateFile /etc/ssl/cognizemail.co.crt
SSLCertificateKeyFile /etc/ssl/cognizemail.key
SSLCACertificateFile /etc/ssl/intermediate.crt

The intermediate.crt is the CA Bundled one from here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=AR1548

I tried a few other things like: "dpkg-reconfigure ca-certificates" and "update-ca-certificates
RapidSSL_CA_bundle.pem and intermediate.crt contain the same text. I think I just need intermediate.crt, but I'm not sure.
by Nik van der Ploeg
Our focus here is setting up Apache with a free signed SSL Cert on a VPS.
I read through that and can't see anything wrong with my setup. I talked with someone at eNom support about the certificate I bought and he said it might have something to do with using the top-level domain for mail instead of a subdomain (i.e., cognizemail.co instead of mail.cognizemail.co) and that I might need a wildcard certificate instead? Doesn't make sense to me, but what do I know?
I finally figured this out. I just need to update the configuration files for Dovecot (/etc/dovecot/dovecot.conf) and Postfix (/etc/postfix/main.cf) to use the correct certificates.

I also had to remove the password from the .key file because Postfix wouldn't cooperate with it.
Have another answer? Share your knowledge.