Hi,
I'm about to move all mailboxes from an old machine - running Dovecot 2.2.13 - to a new machine - running Dovecot 2.3.13 (89f716dc2). Cause the new machine is in a different location I must use SSL encryption.
I followed the guide's I found, but I stuck on certificate verification:
$ doveadm backup -Ru <user> tcps:<host>:12354 doveadm(<user>): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?) doveadm(<user>): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?) doveadm(<user>): Error: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)
On port 12354 the server sends an incomplete certificate chain, whereas on port 993 everything is fine.
I read that the settings
- ssl_client_ca_dir
- ssl_client_ca_file
are not used on certificate verification for port 12354, one should use the setting
ssl_ca
Here are the non-default setting on the client side:
$ dovecot -n # 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.13 (cdd19fe3) # OS: Linux 5.10.0-9-amd64 x86_64 Debian 11.1 ... ssl_ca = </etc/dovecot/dovecot_imap_chain.crt ssl_cert = </etc/ssl/letsencrypt.org/<host>.combine.crt ssl_cipher_list = EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+AES256:!aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!CAMELLIA ssl_client_ca_dir = /etc/ssl/certs ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt ... ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes ... verbose_ssl = yes ssl_verify_client_cert = yes
According to
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
the setting
ssl_ca
should contain
Issuing CA cert
Issuing CA CRL
Intermediate CA cert
Intermediate CA CRL
Root CA cert
Root CA CRL
But how do I build this file? I tried root certificate, root + intermediate certificate and root + intermediate + signed certificate. None of them made it work... I'm completely stuck on how to make certificate verification work.
Can anyone give me a hint? Thanks in advance.