# Chained SSL Certificate with QPopper [SOLVED]

## CodAv

Hi,

I've bought a new SSL certificate for my servers, and want to use it for apache, postfix and qpopper. The first two work like a charm, albeit postfix was a bit more difficult to configure. But qpopper just don't want to work. I have four files it has to consider:

- My private RSA key

- The certificate for my private key

- The issuers CA certificate (intermediate)

- The root CA certificate

I need to chain all of them to suppress any warnings about untrusted certificates in the user's mail clients, but I only get qpopper to work by just using my key and certificate, but without the two CA certs. Concatenating everything together won't work, openssl's verification also throws an error:

```
# openssl verify combined.pem

combined.pem: /C=DE/postalCode=42399/ST=NRW/L=Wuppertal/streetAddress=Siegelberg 20/O=Carsten Epp/OU=Domain-Meister.de/OU=Provided by DigiCert, Inc./OU=DigiCertSSL Wildcard/CN=*.domain-meister.de

error 20 at 0 depth lookup:unable to get local issuer certificate
```

So, is it possible to configure qpopper using all those certs in a chain? If not, I'm going to use courier instead, but before I start switching over, I'll try to get qpopper working  :Wink: 

Here is qpopper's log output:

```
Jan 26 22:45:16.198 2006 [8883] Failed initializing TLS/SSL

Jan 26 22:46:27.220 2006 [9024] Set tls-server-cert-file to "/etc/ssl/postfix/combined.pem"

Jan 26 22:46:27.220 2006 [9024] Set tls-workarounds to true

Jan 26 22:46:27.229 2006 [9024] Error setting private key PEM file /etc/ssl/postfix/combined.pem

Jan 26 22:46:27.229 2006 [9024] ...SSL error: error:0B080074:x509 certificate routines:X509_check_private_key:key values

 mismatch
```

----------

## CodAv

Got it - it just doesn't support chained cert files.

I did some more research in the qpopper mailing list, and found an interesting post by Pete 'Wolfy' Hanson. He patched the SSL support of QPopper, so it understands SSL certificate chain files. I applied his patch using a portage overlay, and now it works!

I created a bug report and attached the patch. Hopefully the maintainer decides to include this fix in the official tree.

https://bugs.gentoo.org/show_bug.cgi?id=120472

----------

