Full certificate chain in export about autoacme HOT 10 CLOSED

Added in 1.6.1.

from autoacme.

Just to be sure: I mean full chain in the PEM file, not PFX ;)

from autoacme.

First of all: Why would hMailServer need full chain? I use it as well, without full chain and without any problems. LE certificates have correct Authority Info Access, so client can build their chain without any problems.

Second, I can probably add it in future version, why not.

from autoacme.

Hi!
Oh ok, I tried it once with the certificate provided by autoACME and had issues with https://www.checktls.com/ as the full chain was not provided by the server.
Maybe it messed something up. If so, sorry for the issue opened!
Thanks!
Boris

from autoacme.

@ridercz - can you please provide the steps you take for using the certificates in hmailserver? With win-acme I got a chain/key pem file that I was able to use.

from autoacme.

@eleasarchriso AutoACME generates PFX files, You can use OpenSSL on the command line (and thus also script that) to split these up into their parts (e.g. PEM and PVK files), see for instance https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/548/7/

from autoacme.

Ok thanks. Yes this is what I am doing now. I thought there might be some setting/option in AutoAcme that I was missing like the PEM folder in the configs.
Is there any option to run some script after a new certificate was downloaded where I could plug in this generation of the hmailserver certificates?

from autoacme.

@eleasarchriso No, I'm not aware of such a feature, but you could open a request for that: Pre- and post-request scripts could maybe be added to the certificate host information, so that only specific certificates would trigger these actions.

from autoacme.

Hi!
I was just playing around with it. Most software (e.g. Joomla, MX Toolbox, luxsci) apparently will not consider the certificate trustworthy, if the server is not sending the full chain. Currently hMailserver is using the PEM and CRT file, that are created during issuing process (completely ignoring the PFX file) as is.

Any plans on exporting the full chain into the CRT file? That might fix this issue. It does work, if I copy the contents manually into the file..

Thanks,
Boris

from autoacme.

@Ich79 I assume that when you say "the full chain" you mean the chain up to (but excluding) the root CA, right? E.g. the domain cert and the intermediate cert, but not the root cert.

from autoacme.