----- Mail original -----
De: "Tobi" tobster@brain-force.ch À: dovecot@dovecot.org Envoyé: Jeudi 10 Novembre 2016 16:35:56 Objet: Re: service doveadm : ssl problems
Have you specified the path to ca-certificates? On Debian it's normally something like that
#10-ssl.conf ssl_client_ca_dir = /etc/ssl/certs
Yup, I did exactly that, sorry I forgot to include that part in the excerpt from my ssl config. However, as far as I understood, this is of no impact when I test with openssl, right ? (for the record, I also tried to manually add the intermediate ca (Let’s Encrypt Authority X3) in the /etc/ssl/certs dir, without any luck)
N.
see http://wiki.dovecot.org/Replication#SSL
Am 10.11.2016 um 16:09 schrieb nerbrume@free.fr:
Hello,
I'm using dovecot 2.2.13 on Debian stable. My users are authenticated through PAM, and stored in an LDAP backend I'm trying to set-up replication with ssl, following (mainly) this : http://wiki2.dovecot.org/Replication
- I only diverted from the instructed setup by not setting "doveadm_port = 12345", as it would give me errors of the like:
Fatal: /var/run/dovecot/auth-userdb: Configured passdbs don't support crentials lookups (to see if user is proxied, because doveadm_port is set) but rather specifying the port in the mail_replica setting : "mail_replica = tcps:my.domain.com:1465" (following a mail from here : http://www.dovecot.org/list/dovecot/2016-September/105356.html) So far, this seems to be working for me.
- However, I'm having ssl problems. I have a let's encrypt certificate, and have concatened the CA cert and my server cert in a fullchain.pem. Excerpt from my ssl config :
ssl = yes ssl_cert =
doveadm return me these errors (sudo -u dovecot doveadm -v sync -u user tcps:my.domain.com:12345) :
doveadm(casoli): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com doveadm(casoli): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com doveadm(casoli): Fatal: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com
Which I can reproduce with openssl (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:12345) :
(...) Verify return code: 21 (unable to verify the first certificate) Indeed, in this case, dovecot only returns the local part of the certificate (my.domain.com), and not the full chain (with the intermediate CA).
While testing regular IMAPS with openssl is ok (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:993)
(...) Verify return code: 0 (ok) And I can see the full chain.
So, it's seems to me that doveadm is somehow wrongly serving my certificate, truncating it, but I can't see why, and if this is a misconfiguratin on my part. I can post more config files or message outputs if needed, I kept them redacted here for the sake of brevity.
Regards, N