CA certs for Dovecot-as-client (proxy)
Aki Tuomi
aki.tuomi at open-xchange.com
Wed Apr 21 13:13:01 EEST 2021
> On 21/04/2021 12:56 Peter Mogensen <apm at b-one.net> wrote:
>
>
> Hi,
>
> When using proxy=y, ssl=yes (Dovecot 2.3.13) I consistently get this
> logged when trying to validate the remote server cert.
>
> "Disconnected by server: Connection closed: Received invalid SSL
> certificate: unable to get local issuer certificate: /C=BE/O=GlobalSign
> nv-sa/CN=AlphaSSL CA - SHA256 - G2 (check ssl_client_ca_* settings?)"
>
> As I read the 2.3.x documentation (and the error logged) Dovecot needs
> to have the trusted CA cert with ssl_client_ca_file or ssl_client_ca_dir.
>
> So, I've tried every combination of putting the cert (and the GlobalSign
> root CA signing it) in ssl_client_ca_dir and individually and as a
> bundle in ssl_client_ca_file without luck.
>
> But even though I can verify the cert with "openssl s_client -connect"
> and with "openssl verify", no matter what I put in the ssl_client_ca_*
> settings it seems Dovecot just ignores it.
>
> It does complain though, if I point it to a non-existent file, but not
> if I just fill the file with invalid cert data which can't be parsed.
>
> I end up getting in doubt whether it consults the cert data at all.
>
> I'm a bit at loss on how to debug this further, short of running it in
> gdb. "verbose_ssl" doesn't really say anything about the process of find
> a CA cert to check with.
>
> Have I misunderstood the config?
>
> /Peter
Hi!
This is unfortunately a bug, see note in
https://doc.dovecot.org/configuration_manual/authentication/proxies/
"ssl_client_ca_dir or ssl_client_ca_file aren’t currently used for verifying the remote certificate, although ideally they will be in a future Dovecot version. For now you need to add the trusted remote certificates to ssl_ca."
Aki
More information about the dovecot
mailing list