On 6/07/20 15:23, la.jolie@paquerette wrote:
On 5/07/20 18:46, Aki Tuomi wrote:
On 05/07/2020 19:43 Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 04/07/2020 21:12 la.jolie@paquerette <la.jolie@paquerette.org> wrote:
Hello,
I'm trying to configure roundcube / dovecot to work with keycloak. I activated xoauth2 oauthbearer in dovecot. But a problem occurs when dovecot tries to contact the keycloak server (logs are below).
My problem looks like this one: https://dovecot.org/pipermail/dovecot/2019-December/117768.html The response to this problem was about a bug in oauth driver (https://dovecot.org/pipermail/dovecot/2019-December/117787.html).
Mizuki was using Dovecot v2.2.36 (1f10bfa63) I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4)
I'm wondering if this bug is still present in my version or if I have another problem.
Both my servers (dovecot and keycloak) are using let's encrypt certificates. I tried to configure Keycloak with nginx proxy and without it (access via port 8443) (in case the problem came from the ssl config on the keycloak server), but still the same error.
If the bug is fixed, then could someone tell me what do I have to put in the option tls_ca_cert_file?
I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I got from let's encrypt website (https://letsencrypt.org/certificates/ / tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1)) But I always have the same error.
Thanks, Kenny
Hi!
Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org
Aki Also can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is.
Aki Hello Aki,
First, big thanks for your time and help. Much appreciated.
I tried v2.3.10.1 (from debian testing) but same error.
Now about the root certificate, I'm not sure what to try other than the 3 I tried.
When looking on the web for Let's encrypt Root certificate, all seems to point to the one I tried: https://letsencrypt.org/certificates/
Isn't the ISRG Root X1 Certificate the root certificate for Let's Encrypt?
Here you can find the answer to the openssl command "openssl s_client -connect my.keycloak.host:443 -showcerts":
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = my.keycloak.host verify return:1
Certificate chain 0 s:CN = my.keycloak.host i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFUjCCBDqgAwIBAgISAx2F9yjviDB2PVmEPxMp0YaWMA0GCSqGSIb3DQEBCwUA ...... (more lines) i8cgf5H57alS0qMUZqirusmCFeksfg== -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ...... (more lines) KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
Server certificate subject=CN = my.keycloak.host
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 3176 bytes and written 390 bytes Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: EB85C94956267BF141...... Session-ID-ctx: Master-Key: 84AA20A5DD8FB18ABF1....... PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 7b e4 1a e2 e3 f7 b3 94-15 5f 0e 7a 47 9b 8c fb {........_.zG... .... (9 more lines like this) 00a0 - ee 75 9a f6 1b 74 8c ad-c0 4f f7 e0 fd 15 54 04 .u...t...O....T.
Start Time: 1594040666 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes
Thanks, Kenny
I finally found that Root certificate. But frankly, what a nightmare to find it.
If someone else is in the same predicament, here is where you can find it: link Base64 Root Certificate.
- Go here: https://letsencrypt.org/certificates/
- Click on the link Download “TrustID X3 Root” on identrust.com (https://www.identrust.com/support/downloads)
- Go all the way down to the section TrustID X3 and click on the last
- Copy the cert into a file.
I went back to v2.3.4.1 (Debian Buster version) and I can confirm it works too.
So no problem with Dovecot.
Thanks again for your help Aki.
Kenny