"There is a problem with the SSL certificate."

So far, mail-in-a-box worked out-of-the-box. I am able to send and receive emails, use owncloud and I really like the concept! This is a great project!
However, in order to get rid of the certificate warnings, I wanted to setup SSL. I got a free certificate from StartSSL, copy-pasted the certificate into the certificate-textbox of the admin panel and clicked “install”. Then I got an error message saying “There is a problem with the SSL certificate.”.
OK, I tought, maybe I did something wrong, so let’s do it again. But at StartSSL, you have to pay a fee in order to deactivate the certificate and try again. Therefore, I did the whole process again at CAcert. But with their certificate I get the same error message and this time I’m quite confident that I copy-pasted everything correctly.And I haven’t modified anything related to SSL on my server prior to this experiment.
What can I do to solve the problem? In the thread “Issues setting up ssl - private key values mismatch” ( Issues setting up ssl - private key values mismatch ), Josh suggested to delete all files in /home/user-data/ssl (and then to rerun the setup-script). Is this the preferred way to deal with the problem? And in case it is, should I also delete the files in the folder /home/user-data/ssl/mydomain.com?
By the way, I use mail-in-a-box V0.4 which I updated either from 0.3 or 0.2.

It’s probably this bug — if your /tmp and /home directories are on different partitions. Otherwise take a look at /var/log/syslog to see what error is generated when you try to plug in the cert.

You can copy the SSL certificate manually into /home/user-data/ssl/ssl_certificate.pem for the box’s main hostname, or /home/user-data/ssl/somedomain.com/ssl_certificate.pem for certificates for other domains hosted on the box. If you have intermediate certs from the CA, you have to combine them in the pem file (your cert first, then intermediate certs).


I use only one partition for everything. The log file isn’t helping me finding the error:

Oct 26 13:47:49 domainname dovecot: imap-login: Login: user=<jan@domainname.com>, method=PLAIN, rip=::1, lip=::1, mpid=5869, TLS, session=<lHRO0lIGGgAAAAAAAAAAAAAAAAAAAAAB>
Oct 26 13:47:49 domainname dovecot: imap(jan@domainname.com): Disconnected: Logged out in=92 out=907
Oct 26 13:48:48 domainname dovecot: imap-login: Login: user=<jan@domainname.com>, method=PLAIN, rip=::1, lip=::1, mpid=5873, TLS, session=<Oa/e1VIGHQAAAAAAAAAAAAAAAAAAAAAB>
Oct 26 13:48:48 domainname dovecot: imap(jan@domainname.com): Disconnected: Logged out in=92 out=907
Oct 26 13:49:06 domainname kernel: [662137.103136] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3c:a8:14:96:00:24:dc:9a:9f:f0:08:00 SRC= DST=server_ip LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=59692 PROTO=TCP SPT=6000 DPT=3128 WINDOW=16384 RES=0x00 SYN URGP=0 

My server should only manage one domain. Let’s call it mydomain.com. I guess that’s what you mean by “the box’s main hostname”, right? The SSL stuff should therefore be in /home/user-data/ssl/ if I get you right. But in addition, I have the folder “/home/user-data/ssl/mydomain.com”. Is this folder necessary?
In the admin panel, I have the two entries “mydomain.com” and “box.mydomain.com” as possible domains for which I could setup the certificates. I tried both and they both fail with the same error message.

No, sorry.

/home/user-data/ssl would be for box.mydomain.com and /home/user-data/ssl/mydomain.com would be for mydomain.com.

The other likely problem is that you aren’t including all of the intermediate certs. I think StartSSL provides two intermediate certs, which would mean you need to paste three things into the control panel. The order of the two intermediate certs you’d have to guess / try both ways.

Thanks for the answer! In fact, the problem was that I did not include the “SSL intermediate chain” - I expected that StartSSL would provide me with the required data more explicitly.
In case someone else has this problem:
Using StartSSL’s free SSL certificate, there’s only one file whose content must be included. It’s called “sub.class1.server.sha2.ca.pem” and can be downloaded at https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem

After I installed the certificate, the System Status Check detected that the DANE TLSA record for incoming mail was incorrect. As the Status Check suggested, I ran the “tools/dns_update”-script.
Then, my mail client went nuts (Thunderbird detected that the SSL certificate it got from the mail server is wrong and refused to simply ignore it.). Hoping that the old Windows trick would work also on Linux, I restarted the server.
And now, everything works!


I’ve fixed the problems you described in your second paragraph. After installing the main certificate, some system services had to be restarted.