On 2013-09-13 09:18, Oscar del Rio wrote:
On 09/13/13 07:59 AM, Dan Langille wrote: I'm using Dovecot 2.2.5. I'm setting up and new IMAPS server for personal use (i.e. only me).
I have success with self-signed certificates but not with others (e.g. StartSSL.com)
/usr/local/etc/ssl/imaps.unixathome.org.crt contains only the cert issued by StartSSL
Maybe you are missing some of the certificate chain. http://wiki2.dovecot.org/SSL/DovecotConfiguration "Chained SSL certificates"
I tried that yesterday and it seemed to make no difference. My attempts were based on http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43...
Perhaps I am doing the chain incorrectly. I just tried again. The server is now set up with the following:
I have three certs in this chain file:
cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem > testing.chain.pem
1 - the certificate issued by startssl for my server 2 & 3 - the PEM files for StartSSL as found at http://www.startssl.com/certs/
I am not convinced that I have the appropriate PEM files for StartSSL.
I verified the cert chain:
# openssl verify -CAfile testing.chain.pem imaps.unixathome.org.crt imaps.unixathome.org.crt: OK
When I test the connection, I see:
$ openssl s_client -connect imaps.unixathome.org:993 -quiet depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0
- OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN] Dovecot ready.
Ideas?
-- Dan Langille - http://langille.org/