[Dovecot] using signed certificates for TLS/SSL

Arne K. Haaje arne at drlinux.no
Thu Feb 18 15:58:51 EET 2010 

 Torsdag 18 februar 2010 14:47:03 skrev Leonardo Rodrigues :
>      Hi,
> 
>      I have, in one customer, a web server running on a Verisign-signed
> certificate SSL certificate. Everything works fine, IE and Firefox
> connects on https without asking anything, which usually happens on
> self-signed certificates. I'm trying to use that certificate on dovecot,
> but clients (Thunderbird basically) keeps saying the certificate is not
> valid.
> 
>      yes i'm using, when configuring Thunderbird, the same CN that was
> signed by Verisign for the web usage
> 
>      i've enabled verbose_ssl and got when thunderbird tries to connect:
> 
> Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth
> attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking:
> SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
> alert unknown ca
> 
>      unknown CA ???
> 
>      is that Thunderbird that is not recognizing the Verisign-signed
> certificate ? Do i need to, somehow, install some Verisign CA
> certificate in dovecot.conf ?
> 
>      when using a self-signed certificate, i also get an SSL_accept
> failed, but with different message:
> 
> Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth
> attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking:
> SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate
> 
>      despite the fact my certificates were generated for use with
> Apache, i can 'print' them, both of them, with the same commands i use
> to print dovecot generated certificates, with mkcert.sh. So, it seems
> they are compatible.
> 
>      if i click OK on Thunderbird, when using my Verisign-signed
> certificates, everything works and i do got TLS logs:
> 
> 
> Feb 18 12:23:36 correio dovecot: imap-login: Login:
> user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx,
> lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Feb 18 12:31:43 correio dovecot: imap-login: Login:
> user=<user at domain.com.br>, method=PLAIN, rip=201.86.xx.xx,
> lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> 
> 
> 
>      what am i doing wrong ?? or using a signed-certificate for WEB
> usage is not possible on dovecot ?

I'm using the same certificate for dovecot and https. My settings in 
dovecot.conf are;

ssl_cert_file = /etc/ssl/certs/hostname.pem
ssl_key_file = /etc/ssl/private/hostname.key

This part from the user guide is very important if you received a "bundle / 
chain" of CA certificates from Verisign;

Chained SSL certificates

Put all the certificates in the ssl_cert_file file. For example when using a 
certificate signed by TDC the correct order is:

   1. Dovecot's public certificate
   2. TDC SSL Server CA
   3. TDC Internet Root CA
   4. Globalsign Partners CA 

Arne

-- 
--------------------------------
Arne K. Haaje	| www.drlinux.no
T: 69 51 15 52	| M: 92 88 44 66
--------------------------------

More information about the dovecot mailing list