Hi all,
I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks ago I had to replace our dovecot certificate due to expiration. In the past I did use a self-signed certificate, but because we now have a little openssl based CA I have decided to create signed certificate for imaps. Dovecot is happily accepting the new certificate which has integrated the whole cert-chain. Unfortunately Pigeonhole does not seem to like the certificate:
<--snip
gnutls-cli --starttls -p4190 mail.novanetwork.local
Processed 173 CA certificate(s). Resolving 'mail.novanetwork.loc'... Connecting to '10.2.1.23:4190'...
- Simple Client Mode:
"IMPLEMENTATION" "Dovecot Pigeonhole" "SIEVE" "fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave" "NOTIFY" "mailto" "SASL" "" "STARTTLS" "VERSION" "1.0" OK "Dovecot ready."
STARTTLS OK "Begin TLS negotiation now."
-->
At this point the TLS process does not proceed. When I press CTRL-D I get the following output:
*** Starting TLS handshake
Certificate type: X.509
Got a certificate list of 3 certificates.
Certificate[0] info:
- subject
C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=Mail Server,CN=mail.novanetwork.local', issuer
C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', RSA key 2048 bits, signed using RSA-SHA256, activated2017-06-23 06:58:40 UTC', expires
2020-06-22 06:58:40 UTC', SHA-1 fingerprint `51a9b62eaebb6b4a2b8cc9a22740dc689445da0c' Public Key ID: 165eaaa4b36c091ec8f32103da003a1f43b1c57d Public key's random art: +--[ RSA 2048]----+ | .o.. | |. .o. . E | |o.. .. . | |= o . + | |+* o . S | |o==. o o | | .=o+.. | | .ooo | | .o | +-----------------+
- subject
Certificate[1] info:
- subject
C=DE,ST=Baden-Wuerttemberg,O=NOVA Elektroanlagen GmbH,OU=NOVA Intermediate CA,CN=NOVA Intermediate CA', issuer
C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using RSA-SHA256, activated2016-12-05 11:40:29 UTC', expires
2026-12-03 11:40:29 UTC', SHA-1 fingerprint `308870b657dccd4902ca119d18d7ba8d6ad54ec0'
- subject
Certificate[2] info:
- subject
C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer
C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', RSA key 4096 bits, signed using RSA-SHA256, activated2016-12-05 11:36:47 UTC', expires
2036-11-30 11:36:47 UTC', SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'
- subject
Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed
I have checked the certificate with:
openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
and also with:
openssl verify -verbose -CAfile /etc/ssl/certs/mail.novanetwork.local.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
Does anyone have an idea what could be the cause of the problem and how to fix it ?
Thank you for your kind help.
best regards Andreas