On 2015-09-21 09:28, Alex Bulan wrote:
The result is the same with or without "<" before the file path. With "<" the inode atime is updated at Dovecot startup, so the file is at least opened, but Dovecot still can't verify the cert.
The only place in the Wiki that shows an example of ssl_client_ca_file is on this page, and there's no "<" in front of the file path:
http://wiki2.dovecot.org/Replication
(quote) The client must be able to verify that the SSL certificate is valid, so you need to specify the directory containing valid SSL CA roots:
ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat (end quote)
For replication only settings? I can only guess as i currently don't use proxy nor replication.
Haven't found much about proxying and ssl but found a configuration parameter ssl_ca = </path/to/file maybe that works...
http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate verification/authentication
On Mon, 21 Sep 2015, Christian Kivalo wrote:
Hi
I've pointed ssl_client_ca_file to my root certificate store, but I suspect ssl_client_ca_file is only used in imapc context. It seems to be ignored in proxy context.
doveconf -n ssl_client_ca_file: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt
You are missing the "<" before the file path
Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt
See http://wiki2.dovecot.org/SSL/DovecotConfiguration
Regards Christian
- Christian