Upgrading to v2.3.X breaks ssl san?
On 06/08/2019 22:49 telsch via dovecot <dovecot@dovecot.org> wrote:
Hello,
using letsencrypt ssl certs with san works perfectly with 2.2.34, but after uprading to 2.3.4.1 it couldn't verified (also tried v2.3.7.1).
i connect to imap.myserver.lan
the cn of the cert is myserver.lan and has the san imap.myserver.lan
openssl s_client -connect imap.myserver.lan:993 CONNECTED(00000005) depth=0 CN = imap.myserver.lan verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = imap.myserver.lan verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:CN = imap.myserver.lan i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's working with 2.3.X
ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem
ssl_ca is not supposed to be automatically cat'ed into the certificate. The correct way is to put cert and leafs to the cert in order towrads root into ssl-imap.pem. ssl_ca is intended for verifying clients connecting to the server.
Aki
On Tue, 6 Aug 2019, telsch wrote:
if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's working with 2.3.X ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem
In the words of Montoya, "I do not think it means what you think it means", referring to "ssl_ca". That file is not used to to establish the trust chain to your server certificate, but rather, to your client's certificates (e.g. if you run a local CA to issue user certificate for mutual authentication, you would put your local CA certificate here).
(Maybe this config variable should be renamed "ssl_client_ca".)
Appending intermediate and server certificates is what you're supposed to do.
Joseph Tam <jtam.home@gmail.com>
On Wed, 7 Aug 2019, Aki Tuomi wrote:
(Maybe this config variable should be renamed "ssl_client_ca".)
... except there already is ssl_client_ca_* settings used to validate connections from dovecot.
So there is. Maybe "ssl_usercert_ca" then. A low-priority suggestion to avoid newbies who don't read the docs closely enough. For the longest time, I held the same mistaken belief about the purpose of "ssl_ca".
Joseph Tam <jtam.home@gmail.com>
with v2.2.34 i can use:
ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem
after upgrade to v2.3.X it doesn't work like before.
it's working if i manual cat ca-bundle.pem and ssl-imap.pem into one file and using only:
ssl_cert = </etc/ssl-imap.pem
i thought ssl_ca is where to put the intermediate cert?
participants (3)
-
Aki Tuomi
-
Joseph Tam
-
telsch