[Dovecot] SSL cert problems.

Egbert Jan van den Bussche egbert at vandenbussche.nl
Mon Dec 29 22:32:52 EET 2008


Still strange that Verisign is not already in your cert. store. Most
browsers seem to have Verisign. I'm used to the fact that my CA (Cacert) is
not included, being a small free CA. I often have to import class3 and root
cert. which is not a big deal after all.
 
Only thing I can say about your problem is that the ---BEGIN CERTIFICATE---
line should be on a line by its own. It is a far shot but maybe it helps. We
are dealing with security stuff and all files (and permissions!) are very
strict. Your key file should be on 600.

Egbert Jan

-----Oorspronkelijk bericht-----
Van: dovecot-bounces+egbert=vandenbussche.nl at dovecot.org
[mailto:dovecot-bounces+egbert=vandenbussche.nl at dovecot.org] Namens Geoff
Sweet
Verzonden: maandag 29 december 2008 20:31
Aan: Dovecot Mailing List
Onderwerp: Re: [Dovecot] SSL cert problems.


So my conf looks similar to yours:

# Disable SSL/TLS support.
#ssl_disable = no

ssl_cert_file = /etc/pki/dovecot/certs/pop.x10.com.cer
ssl_key_file =  /etc/pki/dovecot/private/pop.x10.com.key

# If key file is password protected, give the password here. Alternatively #
give it when starting dovecot with -p parameter. #ssl_key_password =

# File containing trusted SSL certificate authorities. Usually not needed. #
The CAfile should contain the CA-certificate(s) followed by the matching #
CRL(s). CRL checking is new in dovecot .rc1 ssl_ca_file =
/etc/pki/verisign/intermediate_ca.cer

# Request client to send a certificate.
#ssl_verify_client_cert = no

and the ssl_ca_file is a copy and past from this:
http://www.verisign.com/support/verisign-intermediate-ca/extended-validation
/index.html

Yet the cert still doesn't work.  And the OpenSSL people are telling me this
is an issue with my application, dovecot.

For reference this is all that is in
my /etc/pki/verisign/intermediate_ca.cer:

-----BEGIN CERTIFICATE-----
MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt
BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa
BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j
b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw
MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr
BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs
aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7
A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS
hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9
MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9
BxxsCzAwxw==
-----END CERTIFICATE-----


Like I said, just a copy and paste from the Verisign site.

Any thoughts?

-Geoff




More information about the dovecot mailing list