dovecot oauth

la.jolie@paquerette la.jolie at paquerette.org
Mon Jul 6 16:23:37 EEST 2020 

On 5/07/20 18:46, Aki Tuomi wrote:
>> On 05/07/2020 19:43 Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>>
>>  
>>> On 04/07/2020 21:12 la.jolie at paquerette <la.jolie at paquerette.org> wrote:
>>>
>>>  
>>> Hello,
>>>
>>> I'm trying to configure roundcube / dovecot to work with keycloak.
>>> I activated xoauth2 oauthbearer in dovecot.
>>> But a problem occurs when dovecot tries to contact the keycloak server
>>> (logs are below).
>>>
>>> My problem looks like this one:
>>> https://dovecot.org/pipermail/dovecot/2019-December/117768.html
>>> The response to this problem was about a bug in oauth driver
>>> (https://dovecot.org/pipermail/dovecot/2019-December/117787.html).
>>>
>>> Mizuki was using Dovecot v2.2.36 (1f10bfa63)
>>> I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4)
>>>
>>> I'm wondering if this bug is still present in my version or if I have
>>> another problem.
>>>
>>> Both my servers (dovecot and keycloak) are using let's encrypt certificates.
>>> I tried to configure Keycloak with nginx proxy and without it (access
>>> via port 8443) (in case the problem came from the ssl config on the
>>> keycloak server), but still the same error.
>>>
>>> If the bug is fixed, then could someone tell me what do I have to put in
>>> the option tls_ca_cert_file?
>>>
>>> I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I
>>> got from let's encrypt website (https://letsencrypt.org/certificates/ /
>>> tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust
>>> cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1))
>>> But I always have the same error.
>>>
>>> Thanks,
>>> Kenny
>>>
>> Hi!
>>
>> Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org
>>
>> Aki
> Also can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is.
>
> Aki

Hello Aki,

First, big thanks for your time and help. Much appreciated.

I tried v2.3.10.1 (from debian testing) but same error.

Now about the root certificate, I'm not sure what to try other than the
3  I tried.

When looking on the web for Let's encrypt Root certificate, all seems to
point to the one I tried:
https://letsencrypt.org/certificates/

Isn't the ISRG Root X1 Certificate the root certificate for Let's Encrypt?

Here you can find the answer to the openssl command "openssl s_client
-connect my.keycloak.host:443 -showcerts":
-------
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = my.keycloak.host
verify return:1
---
Certificate chain
 0 s:CN = my.keycloak.host
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFUjCCBDqgAwIBAgISAx2F9yjviDB2PVmEPxMp0YaWMA0GCSqGSIb3DQEBCwUA
...... (more lines)
i8cgf5H57alS0qMUZqirusmCFeksfg==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
...... (more lines)
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = my.keycloak.host

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3176 bytes and written 390 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: EB85C94956267BF141......
    Session-ID-ctx:
    Master-Key: 84AA20A5DD8FB18ABF1.......
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    0000 - 7b e4 1a e2 e3 f7 b3 94-15 5f 0e 7a 47 9b 8c fb  
{........_.zG...
    .... (9 more lines like this)
    00a0 - ee 75 9a f6 1b 74 8c ad-c0 4f f7 e0 fd 15 54 04  
.u...t...O....T.

    Start Time: 1594040666
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
-------

Thanks,
Kenny

More information about the dovecot mailing list