[TriLUG] mail.trilug.org server cert issue

[Alan Porter]

To follow up, I put the possibly-messed-up* certificates in place
for dovecot and postfix, verified that all three files looked OK:
(1) mail.trilug.org-startssl.crt (www.trilug.org CSR signed by startcom)
(2) mail.trilug.org.key (the key used to generate #1), unencrypted
(3) startcom-ca.pem (startcom's certificate authority cert)

I restarted the services, and everything looks OK from the server
perspective.  Both services are running OK, accepting TLS connections,
receiving and serving mail.

What I was *not* able to resolve was on Thunderbird my Mac.  When I
opened my trilug.org mail, it gave me the standard certificate error,
even though I have the StartCom CA certificate imported into t-bird
and also into the Mac keychain.

Sending and receiving from my iPhone worked fine.


So I will conclude that:
- The certificates work.
- I still don't understand Thunderbird.


Alan


* "possibly-messed-up" means we answered the questions incorrectly
when creating the CSR, so the Common Name was wrong inside the CSR.
But we entered the correct names on the StartCom web site, and so
it ignored the CN and SAN included in the CSR and just used the
values from the web form (CN=mail.trilug.org, SAN=trilug.org).


> We meant to make a new cert for mail.trilug.org, but the
> CSR we submitted was for www.trilug.org.  It overwrote the
> domain and the subjectAltName fields, and so it looked OK,
> but then we saw some bounces somewhere, and to be conservative,
> we switched it back quickly so we could look closer later.
>
> Alan
>
>
>
>