Hi Laura,

I dont know if it will work, but I came across similar issue with letsencrypt using recent openssl, and it fails verifying with the same error message and the following has resolved it for me.

Try to run the following command against the client certificate full chain and cert file:-

openssl verify -CAfile fullchain1.pem cert1.pem

if it did throw the same error then try verifying using the following updated full chain with valid lets encrypt intermediary and root certificate, if it will work.

wget -O isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem && wget -O isrg-root-x1-cross-signed.pem https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem && wget -O lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem && wget -O lets-encrypt-r3-cross-signed.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem && cat isrgrootx1.pem isrg-root-x1-cross-signed.pem lets-encrypt-r3.pem lets-encrypt-r3-cross-signed.pem > combined_chain1.pem && dos2unix combined_chain1.pem && rm -f lets-encrypt-r3*.* && rm -f isrg*.*

If didnt then try to use updated ca bundle directly from OS using following commands and reference it in verify certificates list

ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

ssl_verify_client_cert = yes

On how to update, it depends on your OS, and the following works with me

yum install ca-certificates

update-ca-trust

Refer to https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/

Give it a try and if you found another solution please let me know, and good luck.

Zakaria

On 24 Jan 2022 20:25, Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch> wrote:

I'm having a frustrating problem trying to use "doveadm sync" to pull mails off a server for migration purposes.

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.17.1 (a1a0b892)
# OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2

I have tried both explicit "ssl_client_ca_dir = /etc/ssl/certs" and commenting it out (i.e. relying on OpenSSL default per the docs)

I always get the same:
Info: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 (check ssl_client_ca_* se
ttings?)
Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Sec
urity Research Group/CN=ISRG Root X1 (check ssl_client_ca_* settings?) - disconnecting

openssl s_client -starttls imap -servername $name -connect $name:143 is happy though:

---
Certificate chain
0 s:CN = <REDACTED>
   i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4954 bytes and written 412 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---