how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA

[jean-christophe manciot]

@build+dovecot at de-korte.org

ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
<ssl_ca> contains actually the private CA certificate bundled with the
private CA CRL.

ssl_cert = </etc/ssl/fullchain.pem
<ssl_cert> contains the public server certificate bundled with Let's
encrypt CA X3 cross-signed certificate.

Maybe the latter should rather contain the root and intermediate certificates.

On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte
<build+dovecot at de-korte.org> wrote:
>
> Citeren jean-christophe manciot <actionmystique at gmail.com>:
>
> > Hi everyone,
> >
> > I'm trying to setup dovecot to accept only client certificates created
> > with a private CA:
> > auth_ssl_require_client_cert = yes
> > ssl_verify_client_cert = yes
> > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
>
> This is wrong, you should enter your private CA here. If
> 'ssl_verify_client_cert' is not set to 'yes', this field should
> generally be empty / not configured.
>
> > At the same time, dovecot is setup with an SSL certificate created by
> > a public CA (let's encrypt):
> > ssl = required
> > ssl_cert = </etc/ssl/fullchain.pem
> > ssl_key = </etc/ssl/key.pem
> >
> > When I try to connect to the server with a client (evolution), I get a
> > connection error:
> > "Client did not present valid SSL certificate" except that it is valid.
> >
> > As you probably already know, let's encrypt does not create client
> > certificates.
> > It seems that using a different CA for client certificates and for the
> > server certificate is unsupported.
> >
> > Am I missing something?
>
>
>


-- 
Jean-Christophe