Am 08.07.2017 um 23:10 schrieb Heiko Schlittermann:
Andreas Oster <aoster@novanetwork.de> (Fr 07 Jul 2017 08:15:05 CEST):
Hi all,
I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks ago I had to replace our dovecot certificate due to expiration. In the past I did use a self-signed certificate, but because we now have a little openssl based CA I have decided to create signed certificate for imaps. Dovecot is happily accepting the new certificate which has integrated the whole cert-chain. Unfortunately Pigeonhole does not seem to like the certificate:
As it seem, Pigeonhole sends you the full cert chain:
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen …
- Certificate[2] info:
- subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer
The last one being the CA used.
SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'
- Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed
For me it reads as if your client (gnutls-cli) does not trust the chain your server sent. (The server doesn't care about the chain).
I have checked the certificate with:
openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK
How do you know that gnutls-cli uses the same CA file? Try passing the CA file to gnutls-cli?
The --x509cafile seems to be hardcoded in /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (Debian9, amd64)
$ strings /usr/lib/x86_64-linux-gnu/libgnutls.so.30 | grep '/etc/ssl' /etc/ssl/certs/ca-certificates.crt
So, on my system gnutls-cli seems to use the same CA store (/etc/ssl/certs) as openssl.
Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann
Hello Heiko,
removing the CA and intermediate certificates from the server certificate and adding the CA certs to the ca-certificates.crt resolved my issue.
Thank you for your kind help.
best regards Andreas