On 22/02/2021 00:43 Stephan Mending list@md5collisions.eu wrote:
Hi *, I've setup two dovecot instances. As soon as i send the syncing part of dovecot to work I see the following errors in my maillogs.
$ cat /var/log/mail.log doveadm(inbox@sec-level.domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames doveadm(inbox@sec-level.domain): Error: Disconnected from remote: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames
A little context: The certificates on the servers are issued by a private CA. The public CA-Certificate has been added to the keystore, though. Shouldn't be a problem. I can confirm that by connecting using s_client ->
$ openssl s_client -connect <hostname-of-dovecot-A>:12345 .. ... ....
Verify return code: 0 (ok)
So far the certificate seems to be ok. **BUT**: As soon as i start dovecot (on the very same machine I issued the s_client command above) ... I am receiving the error messages:
doveadm(inbox@sec-level.domain): Error: doveadm server disconnected before handshake: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames doveadm(inbox@sec-level.domain): Error: Disconnected from remote: SSL certificate doesn't match expected host name fqdn.of.system: No match to 1 SubjectAltNames
And yes the SubjectAlternativeName in the certificate matches the configured FQDN in 30-dsync.conf.
My 30-dsync.conf:
$ cat /etc/dovecot/conf.d/30-dsync.conf
service aggregator { fifo_listener replication-notify-fifo { user = dovecot mode = 0666 } unix_listener replication-notify { user = dovecot mode = 0666 } }
# Configuring the replicator service service replicator { process_min_avail = 1 unix_listener replicator-doveadm { user = dovecot mode = 0666 } } service doveadm { user = dovecot inet_listener { port = 12345 ssl = yes } }
doveadm_port = 12345 doveadm_password = <password> replication_max_conns = 1
plugin { mail_replica = tcps:fqdn.of.system }
service config { unix_listener config { user = dovecot } }
I'd love to here the answer to this.
Thanks alot !
Best regards, Stephan
The certificate provided does not match. You can use
openssl s_client -connect host:port -verify_hostname fqdn.of.system
to see if it matches, somewhere in the output should be
SSL handshake has read 3086 bytes and written 378 bytes Verification: OK Verified peername: fqdn.of.system
If it does match, try
openssl x509 -text -noout -in /path/to/cert
to see what the name(s) are.
Aki