On 01/05/2017 08:55 PM, Juri wrote:
5 Gennaio 2017 01:21, "John Fawcett" john@voipsupport.it wrote:
On 01/04/2017 08:40 PM, Juri wrote:
Thank you.
In fact I tried both settings, that is |ssl_client_ca_dir = /etc/ssl/certs |ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem but with no luck. Actually, I noticed that with the two settings I get a slightly different error message (it took me quite a bit to notice it!), that is: |Error: sync: Disconnected from remote: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 |Error: sync: Disconnected from remote: Received invalid SSL certificate: unable to get *local* issuer certificate: /CN=mail.dividebyzero.it (emphasis mine). I suppose that in the first case - as the server is sending only the last certificate on the chain
- the client is unable to find the intermediate, while in the second case it won't find the root one.
I then tried, as you suggested me, to concatenate both the intermediate and the root certificate in a single file, and it finally worked. In any case the original point still stands: in the sync mode - at least on my version (2.2.13) - the server sends only the last cert, so the client has to have the rest of the chain, instead of needing to have only the root certificate.
May I ask you which is the version of Dovecot bundled with CentOS, to know if this may be a bug fixed in a newer version?
Juri
Hi Juri
if you find validation failing when you have only the root certificate in the CA file but a chained server+intermediate in the server certificate file, then your analysis makes sense and it seems that the intermediate certificate is not being sent by the server. That ties in with the different error messages between imap and replication.
It might be interesting to do a test with -showcerts parameter.
|openssl s_client -showcerts -connect hostname:|7557
|openssl s_client -showcerts -connect hostname:993 The bundled version of Dovecot on Centos 7 is 2.2.10 but I am not using that version. I am on 2.2.26, where I don't have the problem you see and both services send the server and intermediate certificate. I was unable to see any specific patches to the ssl or doveadm code for this issue, though it has undergone a few changes from 2.2.13. John |