[Dovecot] SSL cert problems.

Geoff Sweet geoff.sweet at x10.com
Thu Dec 25 09:17:54 EET 2008


Oh, ok once I added the -CAfile change the cert verifies without issue.

openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995
-quiet
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server
CA
verify return:1
depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
verify return:1
+OK Dovecot ready.

So does that mean I need to install the intermediate cert on all my
clients that will be accessing this server?  That's going to be a bit of
a PITA...

-Geoff

On Wed, 2008-12-24 at 15:26 -0500, Sahil Tandon wrote:
> Geoff Sweet wrote:
> 
> > Ok so I downloaded the intermediate ca cert thing onto my local machine
> > as intca.cer.  Then I ran this command:
> > 
> > :~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995
> 
> You're pointing to a *file* so you need -CAfile; not -CApath.  But even
> after making that change, there appears to be a problem with your cert.
> To test, I downloaded common root certificates from the curl website and
> placed them in ~/CA.  Then, the gmail cert verifies just fine:
> 
> % openssl s_client -ssl3 -CAfile ~/CA/cacert.pem -connect pop.gmail.com:995 -quiet
> depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> verify return:1
> depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
> verify return:1
> +OK Gpop ready for requests from 74.72.46.40 5pf1417126ywl.17
> 
> However, your server cert still fails.  This may be related to the
> intermediate cert you define in dovecot.conf.  I also noticed the zlib
> compression is turned on, whereas it is disabled on my own and many 
> other POP and IMAP servers I tested.
> 
> This does not appear to be a dovecot issue; perhaps try the OpenSSL
> mailing list?
> 



More information about the dovecot mailing list