Life was so much simpler when I just used self-signed certs for
everything...
Looking at http://www.postfix.org/TLS_README.html
The documentation says
``This means that the Postfix server public-key certificate file must
include the server certificate first, then the issuing CA(s) (bottom-up
order).''
Then it gives an example
cat server_cert.pem intermediate_CA.pem > server.pem
-=-
With my Comodo PositiveSSL there are two intermediary certs.
So I try
cat librelamp_com.crt \
COMODORSADomainValidationSecureServerCA.crt \
COMODORSAAddTrustCA.crt > test.cert
But it doesn't verify
openssl verify -purpose sslserver test.crt
test.crt: OU = Domain Control Validated, OU = PositiveSSL, CN =
librelamp.com
error 20 at 0 depth lookup:unable to get local issuer certificate
I tried switching the order, same issue.
Finally I reversed the order -
cat COMODORSAAddTrustCA.crt \
COMODORSADomainValidationSecureServerCA.crt \
librelamp_com.crt > test.crt
Now it verifies :
openssl verify -purpose sslserver test.crt
test.crt: OK
-=-=-
Am I not understanding something or is the documentation off?
Thank you,
Alice