Thank you Stephan,
I'm wondering if I can read the track of the status of bug reports? Could you please advice? Thanks. Mizuki
On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch <stephan@rename-it.nl> wrote:
On 06/12/2019 20:54, Aki Tuomi via dovecot wrote:
Hi!
It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this.
Tracking as DOP-1590.
Regards,
Stephan.
On 06/12/2019 16:42 mizuki <mizuki0621@gmail.com> wrote:
Hi,
For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( Mizuki
On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
Is the key/cert pair readable by dovecot user? auth process does not
run as root.
You can add
service auth {
extra_groups = ssl_cert
}
and chgrp the cert to ssl_cert to allow access to the cert.
Aki
On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote:
I changed some of the tls options following the document, now config
tokeninfo_url =
https://keycloak.com/auth/realms/mail/protocol/openid-connect/token
introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realm... introspection_mode = post debug = yes rawlog_dir = /tmp/oauth2 #force_introspection = yes username_attribute = username #active_attribute = active #active_value = true tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem tls_key_file = /etc/pki/dovecot/private/dovecot.pem
The debug log is showing now slightly different msg ex:
Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate.
Still not able to connect to the keyclaok server. :(
PS: Dovecot & Keycloak severs are both using the same legit cert/key
is following: pair with CA file configured.
Thanks!
Mizuki
On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi@open-xchange.com>
wrote:
Before declaring it not ready for prime time, did you try setting
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
In the oauth2 configuration file as documented in
https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
Aki
> On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org>
wrote:
> > > Hi all, > > We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish the connections. >