Dovecot dsync certificate errors

Aki Tuomi aki.tuomi at open-xchange.com
Mon Feb 22 09:57:32 EET 2021 

> On 22/02/2021 00:43 Stephan Mending <list at md5collisions.eu> wrote:
> 
>  
> Hi *, 
> I've setup two dovecot instances. 
> As soon as i send the syncing part of dovecot to work I see the following errors in my maillogs. 
> 
> $ cat /var/log/mail.log 
> doveadm(inbox at sec-level.domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames
> doveadm(inbox at sec-level.domain): Error: Disconnected from remote: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames
> 
> A little context: The certificates on the servers are issued by a private CA. The public CA-Certificate has been added to the keystore, though. Shouldn't be a problem. 
> I can confirm that by connecting using s_client -> 
> 
> $ openssl s_client -connect <hostname-of-dovecot-A>:12345
> ..
> ...
> ....
> 
> Verify return code: 0 (ok)
> 
> So far the certificate seems to be ok. 
> **BUT**: As soon as i start dovecot (on the very same  machine I issued the s_client command  above) ... I am receiving the error messages: 
> 
> doveadm(inbox at sec-level.domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames
> doveadm(inbox at sec-level.domain): Error: Disconnected from remote: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames
> 
> And yes the SubjectAlternativeName in the certificate matches the configured FQDN in 30-dsync.conf.
> 
> My 30-dsync.conf: 
> 
> $ cat /etc/dovecot/conf.d/30-dsync.conf
> 
> service aggregator {
>         fifo_listener replication-notify-fifo {
>                 user = dovecot
>                 mode = 0666
>         }
>         unix_listener replication-notify {
>                 user = dovecot
>                 mode = 0666
>         }
> }
> 
> # Configuring the replicator service
> service replicator {
>         process_min_avail = 1
>         unix_listener replicator-doveadm {
>                 user = dovecot
>                 mode = 0666
>         }
> }
> service doveadm {
>         user = dovecot
>         inet_listener {
>                 port = 12345
>                 ssl = yes
>         }
> }
> 
> doveadm_port = 12345
> doveadm_password = <password>
> replication_max_conns = 1
> 
> plugin {
>         mail_replica = tcps:fqdn.of.system
> }
> 
> service config {
>         unix_listener config {
>                 user = dovecot
>         }
> }
> 
> 
> I'd love to here the answer to this. 
> 
> Thanks alot ! 
> 
> Best regards, 
> Stephan


The certificate provided does not match. You can use 

openssl s_client -connect host:port -verify_hostname fqdn.of.system

to see if it matches, somewhere in the output should be

SSL handshake has read 3086 bytes and written 378 bytes
Verification: OK
Verified peername: fqdn.of.system

If it does match, try 

openssl x509 -text -noout -in /path/to/cert

to see what the name(s) are.

Aki

More information about the dovecot mailing list