[Dovecot] New SSL certificate problem

Jonathan Siegle jsiegle at psu.edu
Mon Jan 5 22:13:29 EET 2009 

On Jan 5, 2009, at 2:50 PM, Stewart Dean wrote:

> Although I was told by Digicert that the order of chained certs in / 
> var/ssl/certs/dovecot.pem should make no difference, after I put our  
> public cert first, followed by Digicert's intermediate cert, dovecot  
> started up fine.  Of course, there were so many things I looked  
> into, it might have been something else I touched......
>

Stewart,
	I posted this answer last week in another thread(12/29/2008 Subject  
SSL cert problems.). Yes order seems to be important. I found this  
answer in the Openssl book on page 120.

-Jonathan


> Stewart Dean wrote:
>>
>> Our DC has been using a Verisign certificate.  Over the past year,  
>> we've been using a Digicert Wildcard Plus certificate for almost  
>> all of our machines, and I wanted to switched over our DC mailserver.
>>
>> I used the following command to generate the CSR and key:
>>
>> openssl req -new -newkey rsa:1024 -nodes -out star_bard_edu.csr - 
>> keyout star_bard_edu.key -subj "/C=US/ST=NY/L=ourtown/O=Bard  
>> College IT/OU=Bard College /CN=*.bard.edu"
>>
>> The resultant CSR verified and I submitted it to digicert and got  
>> back our cert, plus their intermediate and Trusted root certs.
>> I killed the root instance of dovecot and waited for all the  
>> children to die
>> I put together the intermediate cert (first) and our cert (second)  
>> into /usr/ssl/certs/dovecot.pem
>> I put the key star_bard_edu.key in /var/ssl/private/dovecot.pem
>>
>> I restarted dovecot, but the imap login instances didn't appear, so  
>> I shifted back to the original combined cert file and key,  
>> restarted dovecot and it came up OK
>>
>> I check the syslog and saw these error messages:
>>
>> Jan  5 10:19:49 mercury mail:err|error dovecot: imap-login: Can't  
>> load private k
>> ey file /var/ssl/private/dovecot.pem: error:0B080074:x509  
>> certificate routines:X
>> 509_check_private_key:key values mismatch
>> Jan  5 10:19:49 mercury mail:err|error last message repeated 8 times
>> Jan  5 10:19:49 mercury mail:err|error dovecot: child 4051108  
>> (login) returned e
>> rror 89
>> Jan  5 10:19:49 mercury mail:err|error dovecot: child 4231382  
>> (login) returned e
>> rror 89
>>
>> I checked my key and it has the same time stamp as my CSR, so I  
>> didn't somehow get the wrong key.  Both the old and new key are  
>> 600; if the old one works based on perms, the new one should too.
>>
>> Would some kind soul tell me what I'm missing?  Or is there a  
>> problem using wild card certificate with DC?  Is there an openssl  
>> command to verify the key.  Or is it that the key is unencrypted?
>>
>
>
> -- 
> ==== Once upon a time, the Internet was a friendly, neighbors- 
> helping-neighbors small town, and no one locked their doors. Now  
> it's like an apartment in Bed-Stuy: you need three heavy duty pick- 
> proof locks, one of those braces that goes from the lock to the  
> floor, and bars on the windows.... ==== Stewart Dean, Unix System  
> Admin, Bard College, New York 12504 sdean at bard.edu voice:  
> 845-758-7475, fax: 845-758-7035

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2541 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20090105/e780a716/attachment.bin

More information about the dovecot mailing list