Re: Dovecot & OAuth

Op 10-12-2019 om 16:44 schreef mizuki:

Thank you Stephan,

I'm wondering if I can read the track of the status of bug reports? Could you please advice?

No, this is for our own internal reference.

Thanks. Mizuki

On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch mailto:stephan@rename-it.nl> wrote:

On 06/12/2019 20:54, Aki Tuomi via dovecot wrote:
> Hi!
>
> It seems there is a bug in the oauth2 driver, it loads the cert
files wrong way. I'll make an internal bug report of this.

Tracking as DOP-1590.

Regards,

Stephan.


>> On 06/12/2019 16:42 mizuki <mizuki0621@gmail.com
<mailto:mizuki0621@gmail.com>> wrote:
>>
>>
>> Hi,
>>
>> For troubleshooting purposes, I change the read/write
permissions on the certs and confirmed 'dovecot' can read them w/o
problem, but still seeing the same errors. :(
>> Mizuki
>>
>>
>> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi
<aki.tuomi@open-xchange.com <mailto:aki.tuomi@open-xchange.com>>
wrote:
>>>
>>> Is the key/cert pair readable by dovecot user? auth process
does not run as root.
>>>
>>>
>>>
>>>
>>> You can add
>>>
>>>
>>>
>>>
>>> service auth {
>>>
>>> extra_groups = ssl_cert
>>>
>>> }
>>>
>>>
>>>
>>>
>>> and chgrp the cert to ssl_cert to allow access to the cert.
>>>
>>>
>>>
>>>
>>> Aki
>>>
>>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org
<mailto:dovecot@dovecot.org>> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> I changed some of the tls options following the document, now
config is following:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> tokeninfo_url =
https://keycloak.com/auth/realms/mail/protocol/openid-connect/token
>>>> introspection_url =
https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect
>>>> introspection_mode = post
>>>> debug = yes
>>>> rawlog_dir = /tmp/oauth2
>>>> #force_introspection = yes
>>>> username_attribute = username
>>>> #active_attribute = active
>>>> #active_value = true
>>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt
>>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
>>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem
>>>>
>>>>
>>>> ---------------
>>>>
>>>>
>>>>
>>>>
>>>> The debug log is showing now slightly different msg ex:
>>>>
>>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error:
oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed:
Couldn't initialize SSL context: Can't load SSL certificate: There
is no valid PEM certificate.
>>>>
>>>>
>>>>
>>>>
>>>> Still not able to connect to the keyclaok server. :(
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> PS: Dovecot & Keycloak severs are both using the same legit
cert/key pair with CA file configured.
>>>>
>>>>
>>>>
>>>>
>>>> Thanks!
>>>>
>>>> Mizuki
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi <
aki.tuomi@open-xchange.com <mailto:aki.tuomi@open-xchange.com>> wrote:
>>>>
>>>>
>>>>> Before declaring it not ready for prime time, did you try
setting
>>>>>
>>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
>>>>>
>>>>> In the oauth2 configuration file as documented in
https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
>>>>>
>>>>> Aki
>>>>>
>>>>>> On 05/12/2019 21:58 mizuki via dovecot <
dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote:
>>>>>>
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after
enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online
document, I can confirm Dovecot is ready for OAuth using openssl
command, however when the auth request comes in, it failed in
establishing a SSL connection with Keycloak server on port 443,
shown as following in debug logs. I can confirming using commands
'openssl s_client -connect <keycloak_server>:443' or 'curl -v
https://<keycloak_server/' all returns normal and no errors.
Altering some of the SSL options in dovecot such as 'ssl_ca =
</etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file =
</etc/pki/CA/certs/root_ca.pem' does not help either. The
certificate are NOT self-signed but signed the legit authorities.
So I'm not sure why dovecot could not establish the connections.
>>>>>>