how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA

Marc Marc at f1-outsourcing.eu
Mon Aug 8 19:28:32 UTC 2022


Have you added your root CA to where the rest of the ca certs are stored on your distribution?


> 
> I forgot to say that this mail server has been working perfectly for
> many years (but without client certificates).
> 
> On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot
> <actionmystique at gmail.com> wrote:
> >
> > @build+dovecot at de-korte.org
> >
> > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
> > <ssl_ca> contains actually the private CA certificate bundled with the
> > private CA CRL.
> >
> > ssl_cert = </etc/ssl/fullchain.pem
> > <ssl_cert> contains the public server certificate bundled with Let's
> > encrypt CA X3 cross-signed certificate.
> >
> > Maybe the latter should rather contain the root and intermediate
> certificates.
> >
> > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte
> > <build+dovecot at de-korte.org> wrote:
> > >
> > > Citeren jean-christophe manciot <actionmystique at gmail.com>:
> > >
> > > > Hi everyone,
> > > >
> > > > I'm trying to setup dovecot to accept only client certificates
> created
> > > > with a private CA:
> > > > auth_ssl_require_client_cert = yes
> > > > ssl_verify_client_cert = yes
> > > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
> > >
> > > This is wrong, you should enter your private CA here. If
> > > 'ssl_verify_client_cert' is not set to 'yes', this field should
> > > generally be empty / not configured.
> > >
> > > > At the same time, dovecot is setup with an SSL certificate created
> by
> > > > a public CA (let's encrypt):
> > > > ssl = required
> > > > ssl_cert = </etc/ssl/fullchain.pem
> > > > ssl_key = </etc/ssl/key.pem
> > > >
> > > > When I try to connect to the server with a client (evolution), I
> get a
> > > > connection error:
> > > > "Client did not present valid SSL certificate" except that it is
> valid.
> > > >
> > > > As you probably already know, let's encrypt does not create client
> > > > certificates.
> > > > It seems that using a different CA for client certificates and for
> the
> > > > server certificate is unsupported.
> > > >
> > > > Am I missing something?


More information about the dovecot mailing list