[Dovecot] Server CommonName mismatch: localhost.localdomain
Hello,
I have seen via google that this very problem was already discussed on this and other lists some months ago, but the archives report no solution.
I have dovecot 1.0-0_12.beta8 on Centos 4.3. IMAP works just fine: I can read email from both Squirrelmail via web and Kmail.
Now I have created an ssl certificate and I'm trying to use it via pop3.
When I launch fetchmail I get the error below. Is it caused by dovecot? If not, where is the problem, on the server or here in my home PC?
TIA, Marco
marco@polaris:~> fetchmail -vv fetchmail: 6.3.2 querying my.vps.fqdn.name (protocol POP3) at Tue 13 Jun 2006 05:22:50 PM CEST: +poll started fetchmail: Issuer Organization: SomeOrganization fetchmail: Issuer CommonName: localhost.localdomain fetchmail: Server CommonName: localhost.localdomain fetchmail: Server CommonName mismatch: localhost.localdomain != my.vps.fqdn.name fetchmail: my.vps.fqdn.name key fingerprint: 20:93:B4:D8:CB:75:AD:72:F6:00:A8:DC:CE:F2:53:6E fetchmail: my.vps.fqdn.name fingerprints do not match! 23942:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify +failed:s3_clnt.c:894: fetchmail: SSL connection failed. fetchmail: socket error while fetching from remoteuser@my.vps.fqdn.name
-- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/
Only boring people ever get bored Anonymous
On Tue, Jun 13, 2006 18:15:03 PM +0200, io (mfioretti@mclink.it) wrote:
Hello,
I have seen via google that this very problem was already discussed on this and other lists some months ago, but the archives report no solution.
Summary: one tries to talk with Dovecot via ssl and gets:
fetchmail: Issuer CommonName: localhost.localdomain fetchmail: Server CommonName: localhost.localdomain fetchmail: Server CommonName mismatch: localhost.localdomain != my.vps.fqdn.name
Solution: this is what happens when one forgets to point to the right ssl files in dovecot.conf and leaves the default (example-only) values:
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
However, now I have another problem, and cannot figure out if it's dovecot related, some general ssl bug or an error (but which one) from me:
I have a remote server running centos 4.3 and a home desktop running suse 10.1. I have generated an SSL certificate on the server, copied it on the desktop and run on the desktop:
openssl x509 -in mynewcertCert.pem -fingerprint -subject -issuer -serial -hash -noout c_rehash .
getting this warning:
Doing . WARNING: mynewcertPrivateKey.pem does not contain a certificate or CRL: skipping mynewcertCert.pem => 2764d17c.0
Now I have noted two things:
the fingerprint generated from the openssl command above is different when I run it on centos or on suse 10.1. Why?
if I run fetchmail here with these options:
I get:
fetchmail: 6.3.2 querying my.remote.server (protocol POP3) at Tue 13 Jun 2006 07:22:34 PM CEST: poll started fetchmail: Issuer Organization: My organization fetchmail: Issuer CommonName: my.remote.server fetchmail: Server CommonName: my.remote.server fetchmail: my.remote.server key fingerprint: the one obtained running openssl on the server fetchmail: my.remote.server fingerprints match. fetchmail: Server certificate verification error: unable to get local issuer certificate 26227:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894: fetchmail: SSL connection failed. fetchmail: socket error while fetching from m-mail@fm.vm.bytemark.co.uk
What is the "local issuer" problem? What am I missing? Is it a consequence of problem 1) ? What is happening, and what must I do to use this certificate? Is it a dovecot only problem?
TIA, Marco
-- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/
I don't even have an email address. I have reached an age where my main purpose is not to receive messages. U. Eco, quoted in the New Yorker
-- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/
Be the change you want to see in the world - Gandhi
On Tue, 2006-06-13 at 20:54 +0200, M. Fioretti wrote:
- if I run fetchmail here with these options:
I get:
fetchmail: 6.3.2 querying my.remote.server (protocol POP3) at Tue 13 Jun 2006 07:22:34 PM CEST: poll started fetchmail: Issuer Organization: My organization fetchmail: Issuer CommonName: my.remote.server fetchmail: Server CommonName: my.remote.server fetchmail: my.remote.server key fingerprint: the one obtained running openssl on the server fetchmail: my.remote.server fingerprints match. fetchmail: Server certificate verification error: unable to get local issuer certificate 26227:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894: fetchmail: SSL connection failed. fetchmail: socket error while fetching from m-mail@fm.vm.bytemark.co.uk
What is the "local issuer" problem? What am I missing? Is it a consequence of problem 1) ? What is happening, and what must I do to use this certificate? Is it a dovecot only problem?
I'm guessing it's because you're using a self-signed certificate and fetchmail can't be sure that the certificate is valid. You'll either to:
a) tell fetchmail to ignore the problem (which makes man-in-the-middle attacks possible)
b) tell fetchmail somehow about the certificate
c) create your own CA, create the certificate using it and tell fetchmail about your CA certificate
No idea which of those options are possible with fetchmail. In any case these problems have more to do with SSL in general and fetchmail than Dovecot..
participants (2)
-
M. Fioretti
-
Timo Sirainen