[Dovecot] SSL with startssl.com certificates

Bruno Tréguier Bruno.Treguier at shom.fr
Tue Sep 17 17:59:46 EEST 2013


Le 17/09/2013 à 16:32, Dan Langille a écrit :
> $ openssl s_client -connect imaps.unixathome.org:993 -quiet
> depth=0
> /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
> 
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0
> /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
> 
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0
> /description=P4s7A2l6clvQRRJ4/C=US/CN=imaps.unixathome.org/emailAddress=postmaster at unixathome.org
> 
> verify error:num=21:unable to verify the first certificate
> verify return:1
> * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
> IDLE AUTH=PLAIN] Dovecot ready.
> 
> Somewhere, somehow, there is something vastly different and not working.

Hi,

Something is definitely wrong with your certificate chain. The first
certificate listed in your chain (depth 2) should be StartCom's root CA,
bearing "CN = StartCom Certification Authority", the 2nd one (depth 1)
should be the intermediate cert, bearing "CN = StartCom Class 1 Primary
Intermediate Server CA" and the last one (depth 0) should be yours.

You told in an earlier message that you had put the 3 certs (yours, then
the intermediate, and then the root) in your crt file. Is it still the
case ? If not, you really *must* do it, even if you find it makes no
difference. Maybe there's another problem somewhere else, but this chain
is a prerequisite for many clients to work.

Regards,

Bruno

-- 
- Service Hydrographique et Oceanographique de la Marine  -  DMGS/INF
-  13, rue du Chatellier -  CS 92803  - 29228 Brest Cedex 2, FRANCE
-     Phone: +33 2 98 22 17 49  -  Email: Bruno.Treguier at shom.fr


More information about the dovecot mailing list