I installed a general RapidSSL certificate on my Ubuntu 12.04 x64 Apache/iRedMail server at Digital Ocean. It verifies fine in the browser and when I use RapidSSL's checker tool.
However, this server is exclusively for mail, and when I set up an account in Mail (Mac OS) or on my iPhone, etc., I have to make a security exception because it gives me the error "This root certificate is not trusted." And it shows the location as being GuangDong, China for some reason.
I spoke with a support person at eNom (where I bought the SSL certificate) and he mentioned that there might be an issue using the root domain instead of a subdomain for mail, and that I may need a wildcard certificate instead. That suggestion makes no logical sense to me.
My general question is: Is there any difference between setting up a mail server with a general SSL certificate on the root domain, as opposed to a mailserver on a subdomain with a wildcard SSL certificate?
Or is something wrong with my Apache configuration, perhaps?
Thanks! :)
Update:
So now I did the following:
in /etc/dovecot/dovecot.conf
changed:
ssl_cert = </etc/ssl/certs/iRedMail_CA.pem
ssl_key = </etc/ssl/private/iRedMail.key
To:
ssl_cert = </etc/ssl/certificate.crt
ssl_key = </etc/ssl/certificate.key
ssl_ca = </etc/ssl/intermediate.crt
Then in /etc/postfix/main.cf
I changed:
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
To:
smtpd_tls_cert_file = /etc/ssl/certs/certificate.crt
smtpd_tls_key_file = /etc/ssl/certificate.key
smtpd_tls_CAfile = /etc/ssl/intermeidate.crt
Then, I reboot the server. And Apache hangs, get this error:
root@host:~# service apache2 status
Apache2 is NOT running.
root@host:~# service apache2 restart
* Restarting web server apache2
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
Action 'start' failed.
The Apache error log may have more information.
...fail!
root@host:~#
So, then I do this:
netstat -ltnp | grep ':80'
result:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1464/apache2
Then I do this:
kill -9 1464
And Apache restarts fine after that, but roundcube won't let me log in and I can't connect to IMAP or SMTP at all.
Dovecot log says:
Nov 07 04:31:43 imap-login: Error: SSL private key file is password protected, but password isn't given
Nov 07 04:31:43 imap-login: Fatal: Couldn't parse private ssl_key
Update Again:
Everything in Dovecot is working great now. Had to do the following, since my certificate is encrypted with a password:
killall dovecot
dovecot -p
Then enter my password.
Now my problem is with Postfix, which isn't working at all. I'm assuming it doesn't like the password protected key.
