Torsdag 18 februar 2010 14:47:03 skrev Leonardo Rodrigues :
Hi, I have, in one customer, a web server running on a Verisign-signed
certificate SSL certificate. Everything works fine, IE and Firefox connects on https without asking anything, which usually happens on self-signed certificates. I'm trying to use that certificate on dovecot, but clients (Thunderbird basically) keeps saying the certificate is not valid.
yes i'm using, when configuring Thunderbird, the same CN that was
signed by Verisign for the web usage
i've enabled verbose_ssl and got when thunderbird tries to connect:
Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
unknown CA ??? is that Thunderbird that is not recognizing the Verisign-signed
certificate ? Do i need to, somehow, install some Verisign CA certificate in dovecot.conf ?
when using a self-signed certificate, i also get an SSL_accept
failed, but with different message:
Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
despite the fact my certificates were generated for use with
Apache, i can 'print' them, both of them, with the same commands i use to print dovecot generated certificates, with mkcert.sh. So, it seems they are compatible.
if i click OK on Thunderbird, when using my Verisign-signed
certificates, everything works and i do got TLS logs:
Feb 18 12:23:36 correio dovecot: imap-login: Login: user=<user@domain.com.br>, method=PLAIN, rip=201.86.xx.xx, lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Feb 18 12:31:43 correio dovecot: imap-login: Login: user=<user@domain.com.br>, method=PLAIN, rip=201.86.xx.xx, lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
what am i doing wrong ?? or using a signed-certificate for WEB
usage is not possible on dovecot ?
I'm using the same certificate for dovecot and https. My settings in dovecot.conf are;
ssl_cert_file = /etc/ssl/certs/hostname.pem ssl_key_file = /etc/ssl/private/hostname.key
This part from the user guide is very important if you received a "bundle / chain" of CA certificates from Verisign;
Chained SSL certificates
Put all the certificates in the ssl_cert_file file. For example when using a certificate signed by TDC the correct order is:
- Dovecot's public certificate
- TDC SSL Server CA
- TDC Internet Root CA
- Globalsign Partners CA
Arne