dovecot oauth

la.jolie@paquerette la.jolie at paquerette.org
Mon Jul 6 17:15:48 EEST 2020 

On 6/07/20 15:23, la.jolie at paquerette wrote:
> On 5/07/20 18:46, Aki Tuomi wrote:
>>> On 05/07/2020 19:43 Aki Tuomi <aki.tuomi at open-xchange.com> wrote:
>>>
>>>  
>>>> On 04/07/2020 21:12 la.jolie at paquerette <la.jolie at paquerette.org> wrote:
>>>>
>>>>  
>>>> Hello,
>>>>
>>>> I'm trying to configure roundcube / dovecot to work with keycloak.
>>>> I activated xoauth2 oauthbearer in dovecot.
>>>> But a problem occurs when dovecot tries to contact the keycloak server
>>>> (logs are below).
>>>>
>>>> My problem looks like this one:
>>>> https://dovecot.org/pipermail/dovecot/2019-December/117768.html
>>>> The response to this problem was about a bug in oauth driver
>>>> (https://dovecot.org/pipermail/dovecot/2019-December/117787.html).
>>>>
>>>> Mizuki was using Dovecot v2.2.36 (1f10bfa63)
>>>> I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4)
>>>>
>>>> I'm wondering if this bug is still present in my version or if I have
>>>> another problem.
>>>>
>>>> Both my servers (dovecot and keycloak) are using let's encrypt certificates.
>>>> I tried to configure Keycloak with nginx proxy and without it (access
>>>> via port 8443) (in case the problem came from the ssl config on the
>>>> keycloak server), but still the same error.
>>>>
>>>> If the bug is fixed, then could someone tell me what do I have to put in
>>>> the option tls_ca_cert_file?
>>>>
>>>> I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I
>>>> got from let's encrypt website (https://letsencrypt.org/certificates/ /
>>>> tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust
>>>> cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1))
>>>> But I always have the same error.
>>>>
>>>> Thanks,
>>>> Kenny
>>>>
>>> Hi!
>>>
>>> Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org
>>>
>>> Aki
>> Also can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is.
>>
>> Aki
> Hello Aki,
>
> First, big thanks for your time and help. Much appreciated.
>
> I tried v2.3.10.1 (from debian testing) but same error.
>
> Now about the root certificate, I'm not sure what to try other than the
> 3  I tried.
>
> When looking on the web for Let's encrypt Root certificate, all seems to
> point to the one I tried:
> https://letsencrypt.org/certificates/
>
> Isn't the ISRG Root X1 Certificate the root certificate for Let's Encrypt?
>
> Here you can find the answer to the openssl command "openssl s_client
> -connect my.keycloak.host:443 -showcerts":
> -------
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = my.keycloak.host
> verify return:1
> ---
> Certificate chain
>  0 s:CN = my.keycloak.host
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> -----BEGIN CERTIFICATE-----
> MIIFUjCCBDqgAwIBAgISAx2F9yjviDB2PVmEPxMp0YaWMA0GCSqGSIb3DQEBCwUA
> ...... (more lines)
> i8cgf5H57alS0qMUZqirusmCFeksfg==
> -----END CERTIFICATE-----
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> -----BEGIN CERTIFICATE-----
> MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
> ...... (more lines)
> KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=CN = my.keycloak.host
>
> issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: RSA-PSS
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 3176 bytes and written 390 bytes
> Verification: OK
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-CHACHA20-POLY1305
>     Session-ID: EB85C94956267BF141......
>     Session-ID-ctx:
>     Master-Key: 84AA20A5DD8FB18ABF1.......
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 86400 (seconds)
>     TLS session ticket:
>     0000 - 7b e4 1a e2 e3 f7 b3 94-15 5f 0e 7a 47 9b 8c fb  
> {........_.zG...
>     .... (9 more lines like this)
>     00a0 - ee 75 9a f6 1b 74 8c ad-c0 4f f7 e0 fd 15 54 04  
> .u...t...O....T.
>
>     Start Time: 1594040666
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: yes
> -------
>
> Thanks,
> Kenny
>
I finally found that Root certificate.
But frankly, what a nightmare to find it.

If someone else is in the same predicament, here is where you can find it:
- Go here: https://letsencrypt.org/certificates/
- Click on the link Download “TrustID X3 Root” on identrust.com
(https://www.identrust.com/support/downloads)
- Go all the way down to the section TrustID X3 and click on the last
link Base64 Root Certificate.
- Copy the cert into a file.

I went back to v2.3.4.1 (Debian Buster version) and I can confirm it
works too.

So no problem with Dovecot.

Thanks again for your help Aki.

Kenny

More information about the dovecot mailing list