[Dovecot] New SSL certificate problem
Jonathan Siegle
jsiegle at psu.edu
Mon Jan 5 22:13:29 EET 2009
On Jan 5, 2009, at 2:50 PM, Stewart Dean wrote:
> Although I was told by Digicert that the order of chained certs in /
> var/ssl/certs/dovecot.pem should make no difference, after I put our
> public cert first, followed by Digicert's intermediate cert, dovecot
> started up fine. Of course, there were so many things I looked
> into, it might have been something else I touched......
>
Stewart,
I posted this answer last week in another thread(12/29/2008 Subject
SSL cert problems.). Yes order seems to be important. I found this
answer in the Openssl book on page 120.
-Jonathan
> Stewart Dean wrote:
>>
>> Our DC has been using a Verisign certificate. Over the past year,
>> we've been using a Digicert Wildcard Plus certificate for almost
>> all of our machines, and I wanted to switched over our DC mailserver.
>>
>> I used the following command to generate the CSR and key:
>>
>> openssl req -new -newkey rsa:1024 -nodes -out star_bard_edu.csr -
>> keyout star_bard_edu.key -subj "/C=US/ST=NY/L=ourtown/O=Bard
>> College IT/OU=Bard College /CN=*.bard.edu"
>>
>> The resultant CSR verified and I submitted it to digicert and got
>> back our cert, plus their intermediate and Trusted root certs.
>> I killed the root instance of dovecot and waited for all the
>> children to die
>> I put together the intermediate cert (first) and our cert (second)
>> into /usr/ssl/certs/dovecot.pem
>> I put the key star_bard_edu.key in /var/ssl/private/dovecot.pem
>>
>> I restarted dovecot, but the imap login instances didn't appear, so
>> I shifted back to the original combined cert file and key,
>> restarted dovecot and it came up OK
>>
>> I check the syslog and saw these error messages:
>>
>> Jan 5 10:19:49 mercury mail:err|error dovecot: imap-login: Can't
>> load private k
>> ey file /var/ssl/private/dovecot.pem: error:0B080074:x509
>> certificate routines:X
>> 509_check_private_key:key values mismatch
>> Jan 5 10:19:49 mercury mail:err|error last message repeated 8 times
>> Jan 5 10:19:49 mercury mail:err|error dovecot: child 4051108
>> (login) returned e
>> rror 89
>> Jan 5 10:19:49 mercury mail:err|error dovecot: child 4231382
>> (login) returned e
>> rror 89
>>
>> I checked my key and it has the same time stamp as my CSR, so I
>> didn't somehow get the wrong key. Both the old and new key are
>> 600; if the old one works based on perms, the new one should too.
>>
>> Would some kind soul tell me what I'm missing? Or is there a
>> problem using wild card certificate with DC? Is there an openssl
>> command to verify the key. Or is it that the key is unencrypted?
>>
>
>
> --
> ==== Once upon a time, the Internet was a friendly, neighbors-
> helping-neighbors small town, and no one locked their doors. Now
> it's like an apartment in Bed-Stuy: you need three heavy duty pick-
> proof locks, one of those braces that goes from the lock to the
> floor, and bars on the windows.... ==== Stewart Dean, Unix System
> Admin, Bard College, New York 12504 sdean at bard.edu voice:
> 845-758-7475, fax: 845-758-7035
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2541 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090105/e780a716/attachment.bin
More information about the dovecot
mailing list