When I install an SSL certificate, I can't find a config option to set configure the Server Certificate Chain file... Is this not possible or can I do it another way? (When I connect, I am being told the Signature status is uncheckable...)
Regards,
BTJ
--
Bjørn T Johansen
btj@havleik.no
Someone wrote: "I understand that if you play a Windows CD backwards you hear strange Satanic messages" To which someone replied: "It's even worse than that; play it forwards and it installs Windows"
On 31.01.2008 1:27, Bjørn T Johansen wrote:
When I install an SSL certificate, I can't find a config option to set configure the Server Certificate Chain file... Is this not possible or can I do it another way? (When I connect, I am being told the Signature status is uncheckable...)
Regards,
BTJ
You need put all certificates in one file in correct order. Look for example here http://wiki.dovecot.org/SSL/DovecotConfiguration
On Thu, 31 Jan 2008 01:33:32 +0300 Nikolay Shopik shopik@inblock.ru wrote:
On 31.01.2008 1:27, Bjørn T Johansen wrote:
When I install an SSL certificate, I can't find a config option to set configure the Server Certificate Chain file... Is this not possible or can I do it another way? (When I connect, I am being told the Signature status is uncheckable...)
Regards,
BTJ
You need put all certificates in one file in correct order. Look for example here http://wiki.dovecot.org/SSL/DovecotConfiguration
I have now tried every combination I can think of but my mail client still tells me..:
"Certificate for hostname is unknown. "
and
"Signature status: unable to get local issuer certificate."
I am trying to install a GoDaddy certificate and I have my public cert and then GoDaddys intermediate certificate in my crt file, which I think is how it is supposed to be but I still get this...
What am I doing wrong?
BTJ
On Thu, 2008-01-31 at 13:48 +0100, Bjørn T Johansen wrote:
I have now tried every combination I can think of but my mail client still tells me..:
"Certificate for hostname is unknown. "
and
"Signature status: unable to get local issuer certificate."
I am trying to install a GoDaddy certificate and I have my public cert and then GoDaddys intermediate certificate in my crt file, which I think is how it is supposed to be but I still get this...
What am I doing wrong?
As far as I know the only thing that matters is the certificate order in the file. Maybe checking with "openssl s_client -connect host:993" shows something useful?
But this reminds me anyway: Are the certificates GoDaddy offers still using intermediate certs? I was thinking about buying one of those $22/year ones for dovecot.org. Although I don't think I really need one right now. :)
On Thu, 31 Jan 2008 15:25:47 +0200 Timo Sirainen tss@iki.fi wrote:
On Thu, 2008-01-31 at 13:48 +0100, Bjørn T Johansen wrote:
I have now tried every combination I can think of but my mail client still tells me..:
"Certificate for hostname is unknown. "
and
"Signature status: unable to get local issuer certificate."
I am trying to install a GoDaddy certificate and I have my public cert and then GoDaddys intermediate certificate in my crt file, which I think is how it is supposed to be but I still get this...
What am I doing wrong?
As far as I know the only thing that matters is the certificate order in the file. Maybe checking with "openssl s_client -connect host:993" shows something useful?
I think I have found the problem... It is libetpan and GnuTLS that apparently can't build the cert chain properly... I just tried using Thunderbird and the certificate was accepted without any problems... :(
But this reminds me anyway: Are the certificates GoDaddy offers still using intermediate certs? I was thinking about buying one of those $22/year ones for dovecot.org. Although I don't think I really need one right now. :)
Yes, still intermedia certs...
BTJ
Bjørn T Johansen wrote:
When I install an SSL certificate, I can't find a config option to set configure the Server Certificate Chain file... Is this not possible or can I do it another way? (When I connect, I am being told the Signature status is uncheckable...)
Regards,
BTJ
Hi Bjørn,
I use a CAcert certificate which uses a class 3 intermediate certificate. I have this configured in my dovecot.conf:
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert_file = /etc/pki/tls/certs/server.crt ssl_key_file = /etc/pki/tls/certs/server.key
# If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password =
# File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 # gives cert errors when used... 2007112vbs ssl_ca_file = /etc/pki/tls/certs/cacert_class3.crt
So I kind of 'misused' ssl_ca_file' for it.
Egbert Jan
participants (4)
-
Bjørn T Johansen
-
Egbert Jan van den Bussche
-
Nikolay Shopik
-
Timo Sirainen