On 06/08/2019 22:49 telsch via dovecot dovecot@dovecot.org wrote:

Hello,

using letsencrypt ssl certs with san works perfectly with 2.2.34, but after uprading to 2.3.4.1 it couldn't verified (also tried v2.3.7.1).

i connect to imap.myserver.lan

the cn of the cert is myserver.lan and has the san imap.myserver.lan

openssl s_client -connect imap.myserver.lan:993 CONNECTED(00000005) depth=0 CN = imap.myserver.lan verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = imap.myserver.lan verify error:num=21:unable to verify the first certificate verify return:1

Certificate chain 0 s:CN = imap.myserver.lan i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's working with 2.3.X

ssl_ca =

ssl_ca is not supposed to be automatically cat'ed into the certificate. The correct way is to put cert and leafs to the cert in order towrads root into ssl-imap.pem. ssl_ca is intended for verifying clients connecting to the server.

Aki

with v2.2.34 i can use:

ssl_ca =

after upgrade to v2.3.X it doesn't work like before.

it's working if i manual cat ca-bundle.pem and ssl-imap.pem into one file and using only:

ssl_cert =

i thought ssl_ca is where to put the intermediate cert?