how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA

jean-christophe manciot actionmystique at gmail.com
Tue Aug 9 08:12:10 UTC 2022 

@Marc at f1-outsourcing.eu
No, the private CA certificate was not present there as I thought that
its presence in the bundle pointed to by <ssl_ca> was enough.
Anyway, placing it in /etc/ssl/certs and restarting dovecot does not
change anything for the client, as expected.

On Tue, Aug 9, 2022 at 10:09 AM jean-christophe manciot
<actionmystique at gmail.com> wrote:
>
> @Marc at f1-outsourcing.eu
> No, the private CA certificate was not present there as I thought that
> its presence in the bundle pointed to by <ssl_ca> was enough.
> Anyway, placing it in /etc/ssl/certs and restarting dovecot does not
> change anything for the client, as expected.
>
> On Mon, Aug 8, 2022 at 9:28 PM Marc <Marc at f1-outsourcing.eu> wrote:
> >
> > Have you added your root CA to where the rest of the ca certs are stored on your distribution?
> >
> >
> > >
> > > I forgot to say that this mail server has been working perfectly for
> > > many years (but without client certificates).
> > >
> > > On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot
> > > <actionmystique at gmail.com> wrote:
> > > >
> > > > @build+dovecot at de-korte.org
> > > >
> > > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
> > > > <ssl_ca> contains actually the private CA certificate bundled with the
> > > > private CA CRL.
> > > >
> > > > ssl_cert = </etc/ssl/fullchain.pem
> > > > <ssl_cert> contains the public server certificate bundled with Let's
> > > > encrypt CA X3 cross-signed certificate.
> > > >
> > > > Maybe the latter should rather contain the root and intermediate
> > > certificates.
> > > >
> > > > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte
> > > > <build+dovecot at de-korte.org> wrote:
> > > > >
> > > > > Citeren jean-christophe manciot <actionmystique at gmail.com>:
> > > > >
> > > > > > Hi everyone,
> > > > > >
> > > > > > I'm trying to setup dovecot to accept only client certificates
> > > created
> > > > > > with a private CA:
> > > > > > auth_ssl_require_client_cert = yes
> > > > > > ssl_verify_client_cert = yes
> > > > > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
> > > > >
> > > > > This is wrong, you should enter your private CA here. If
> > > > > 'ssl_verify_client_cert' is not set to 'yes', this field should
> > > > > generally be empty / not configured.
> > > > >
> > > > > > At the same time, dovecot is setup with an SSL certificate created
> > > by
> > > > > > a public CA (let's encrypt):
> > > > > > ssl = required
> > > > > > ssl_cert = </etc/ssl/fullchain.pem
> > > > > > ssl_key = </etc/ssl/key.pem
> > > > > >
> > > > > > When I try to connect to the server with a client (evolution), I
> > > get a
> > > > > > connection error:
> > > > > > "Client did not present valid SSL certificate" except that it is
> > > valid.
> > > > > >
> > > > > > As you probably already know, let's encrypt does not create client
> > > > > > certificates.
> > > > > > It seems that using a different CA for client certificates and for
> > > the
> > > > > > server certificate is unsupported.
> > > > > >
> > > > > > Am I missing something?
>
>
>
> --
> Jean-Christophe



-- 
Jean-Christophe

More information about the dovecot mailing list