Hi,
I'm about to move all mailboxes from an old machine - running Dovecot 2.2.13 - to a new machine - running Dovecot 2.3.13 (89f716dc2). Cause the new machine is in a different location I must use SSL encryption.
I followed the guide's I found, but I stuck on certificate verification:
$ doveadm backup -Ru <user> tcps:<host>:12354 doveadm(<user>): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?) doveadm(<user>): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?) doveadm(<user>): Error: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)
On port 12354 the server sends an incomplete certificate chain, whereas on port 993 everything is fine.
I read that the settings
- ssl_client_ca_dir
- ssl_client_ca_file
are not used on certificate verification for port 12354, one should use the setting
ssl_ca
Here are the non-default setting on the client side:
$ dovecot -n # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-9-amd64 x86_64 Debian 11.1 ... ssl_ca =
According to
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
the setting
ssl_ca
should contain
Issuing CA cert
Issuing CA CRL
Intermediate CA cert
Intermediate CA CRL
Root CA cert
Root CA CRL
But how do I build this file? I tried root certificate, root + intermediate certificate and root + intermediate + signed certificate. None of them made it work... I'm completely stuck on how to make certificate verification work.
Can anyone give me a hint? Thanks in advance.