On 2.7.2019 8.06, Peter via dovecot wrote:
On 11.01.2018 13:20, Hauke Fath wrote: >/On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote: />>/Was the certificate path bundled in the server certificate? />/No, as a separate file, provided from the local (intermediate) CA: />//>/ssl_cert = </etc/openssl/certs/server.cert />/ssl_key = </etc/openssl/private/server.key />/ssl_ca = </etc/openssl/certs/ca-cert-chain.pem />//>/Worked fine with 2.2.x, 2.3 gives />//>/% openssl s_client -connect XXX:993 />/CONNECTED(00000006) />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=20:unable to get local issuer certificate />/verify return:1 />/depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet />/Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de />/verify error:num=21:unable to verify the first certificate />/verify return:1 />/--- />/Certificate chain />/0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de />/i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet />/Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de <https://dovecot.org/mailman/listinfo/dovecot> />/--- />/Server certificate />/-----BEGIN CERTIFICATE----- />/[...] />/% />// Seems we might've made a unexpected change here when we revamped the ssl code. Can you try if it works if you concatenate the cert and cert-chain to single file? We'll start looking if this is misunderstanding or bug.
Aki
Hi Aki,
I believe that Dovecot 2.3.6 sends only one certificate even though my Dovecot uses two concatenated certificates.
Thanks for looking into this.
Regards, Peter
Hi!
Can you provide readable output of
openssl s_client -connect host:993
Aki