new ssl certificates from comodo and rapidssl dont work

[MC9000]

I have no idea what is going on, but, I can't get intermediate certificates to show up in the certificate chain any more (this is a new problem, and I can't figure out what to do).
Does anyone have a step by step method for getting certificates to work with AMS?

It used to be, you create a CSR and the Certificate Authority (CA) would send you a ROOT, INTERMEDIATE and a SERVER certificate (mail.mydomain.com).
You install these certificates into their respective places, then export your SERVER certificate as a PFX (to get your private key), convert to text (using some utility) format - .PEM, then split that into your private key and your cert so you can import into AMS. Always a lengthy process, but this no longer works with Comodo nor RapidSSL (tried both and spent hours on every conceivable combination of getting AMS certs to work - you can view the cert, the intermediate and root chain - it's friggin' perfect! YET my browser says it's missing the intermediate certificate!!!).

I can't figure what could possibly be going on other than, perhaps, something changed in Windows Server (using 2012R2) that is screwing things up.

Anyone? (18 hours of hair pulling - I've done this dozens of times in the past and have 25 years IT experience and can't for the life of me, nor Comodo nor RapidSSL figure this out)

[Code Crafters]

Sometimes, Certificate Authorities will send you the main and intermediate certificates separately.

You can usually open these up in a text editor and copy / paste the intermediate one before the main certificate in the same file to create the complete certificate chain.

[MC9000]

It's because my version of AMS (2.72) is using TLS 1.0 apparently (this is what I was told - I have no clue as to verify this).
Curiously though, ONLY firefox reports this!
The main and intermediate certificates have no effect on this issue AND you can see them in the certificate chain just fine. This is a Firefox issue only (they now report any site using TLS 1.0 & 1.1 as being "weak encryption". All the online testers say the intermediate certificate is missing, and all of them must use some buggy system (you can see the intermediate certificate!!!)
My question is, since AMS versions pre-3 don't support the latest SSL standards, if I float some money and buy the latest version, will it work with the latest standards?

You can check it here:
https://mail.infinibit.net:8100/_index
open in any browser other than Firefox (using version 68) and you can see the certificate chain fine. Makes no sense.

[Code Crafters]

Yes, Ability Mail Server 4 supports up to TLS 1.2 and will support the latest TLS 1.3 in a future update.

[EKjellquist]

Old topic, but just for informations' sake, I normally just use Let's Encrypt certificates with most of my sites, including AMS/AFS. Now that AMS 5.1 supports TLS 1.3 / OpenSSL 3.1.2, will see if I can get ecc certs to work with AMS/AFS (historically needing SHA-256 style RSA 2048/4096 certs). the nice thing about LE (and other CAs these days) is everything's generated PEM-style so you don't need multiple files anymore as the subject, intermediate and CA are all together.

I'll just grab the current version of CryptLE https://github.com/do-know/Crypt-LE/releases and run something like the following to generate a PEM .cer for AMS to use (anonymized):

Code: Select all

le64.exe -key account.key -csr mail.domain.com.csr -csr-key mail.domain.com.key -crt mail.domain.com.crt -domains "mail.domain.com" -generate-missing -handle-as dns -live

This assumes you can go into your registrar website and add a TXT record for the subdomain above (to verify you own the domain) and it'll pop out a RSA 4096 Sha256 cert. The following is what I use for everything else to generate a star cert with ECC curve:

Code: Select all

le64.exe -key account.key -csr star.domain.com.csr -csr-key star.domain.com.key -crt star.domain.com.crt -domains "*.domain.com" -generate-missing -handle-as dns -curve default -live

As of AMS 5.0.x and before these ECC certs wouldn't work, but I'll give it a whirl the next time I have to generate new ones...