CA certs for Dovecot-as-client (proxy)

[Peter Mogensen]

Hi,

When using proxy=y, ssl=yes (Dovecot 2.3.13) I consistently get this
logged when trying to validate the remote server cert.

"Disconnected by server: Connection closed: Received invalid SSL
certificate: unable to get local issuer certificate: /C=BE/O=GlobalSign
nv-sa/CN=AlphaSSL CA - SHA256 - G2 (check ssl_client_ca_* settings?)"

As I read the 2.3.x documentation (and the error logged) Dovecot needs
to have the trusted CA cert with ssl_client_ca_file or ssl_client_ca_dir.

So, I've tried every combination of putting the cert (and the GlobalSign
root CA signing it) in ssl_client_ca_dir and individually and as a
bundle in ssl_client_ca_file without luck.

But even though I can verify the cert with "openssl s_client -connect"
and with "openssl verify", no matter what I put in the ssl_client_ca_*
settings it seems Dovecot just ignores it.

It does complain though, if I point it to a non-existent file, but not
if I just fill the file with invalid cert data which can't be parsed.

I end up getting in doubt whether it consults the cert data at all.

I'm a bit at loss on how to debug this further, short of running it in
gdb. "verbose_ssl" doesn't really say anything about the process of find
a CA cert to check with.

Have I misunderstood the config?

/Peter