[Dovecot] How to configure ssl cert chain in dovecot 10-ssl.conf file
Hi there,
Does anyone know how to do this:
"Put all the certificates in the ssl_cert file. For example when using a certificate signed by TDC the correct order is:
Dovecot's public certificate
TDC SSL Server CA
TDC Internet Root CA
Globalsign Partners CA "I try to set these parameters in the conf.d/10-ssl.conf as below, but it seems doesn't work.
ssl_cert =
I even cat mail.mymailserver.com.crt sub.class1.server.ca.pem certs/dovecot/ca.pem into one singe file, and define ssl_cert = < /path/to/the/singcertfile.pem, but it doesn't work too.
In my apache httpd server httpd.conf file I can define:
SSLCertificateChainFile /etc/pki/dovecot/certs/sub.class1.server.ca.pem SSLCACertificateFile /etc/pki/dovecot/certs/ca.pem
And it well work fine.
Thinks for any suggest. Bu Xiaobing
On 05/18/2013 05:06 AM, Bu Xiaobing wrote:
I even cat mail.mymailserver.com.crt sub.class1.server.ca.pem certs/dovecot/ca.pem into one singe file, and define ssl_cert = < /path/to/the/singcertfile.pem, but it doesn't work too. That should be the correct way, but I think there shouldn't be a space after the < character. What exactly is the error you are getting?
You can troubleshoot with openssl s_client, this is from my server:
$ openssl s_client -connect 192.168.xxx.xxx:143 -starttls imap -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 description = 7t3YlXVfb6bVQ2pp, C = US, CN = mail.gedalya.net, emailAddress = ______@gedalya.net verify return:1
Certificate chain 0 s:/description=7t3YlXVfb6bVQ2pp/C=US/CN=mail.gedalya.net/emailAddress=postmaster@gedalya.net i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Gedalya,
Thanks for your reply, it works now, and finally I find it was the format problem, there should been a return between there cert files when cat into one single file.
On 2013-5-18 17:48, Gedalya wrote:
On 05/18/2013 05:06 AM, Bu Xiaobing wrote:
I even cat mail.mymailserver.com.crt sub.class1.server.ca.pem certs/dovecot/ca.pem into one singe file, and define ssl_cert = < /path/to/the/singcertfile.pem, but it doesn't work too. That should be the correct way, but I think there shouldn't be a space after the < character. What exactly is the error you are getting?
You can troubleshoot with openssl s_client, this is from my server:
$ openssl s_client -connect 192.168.xxx.xxx:143 -starttls imap -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 description = 7t3YlXVfb6bVQ2pp, C = US, CN = mail.gedalya.net, emailAddress = ______@gedalya.net verify return:1
Certificate chain 0 s:/description=7t3YlXVfb6bVQ2pp/C=US/CN=mail.gedalya.net/emailAddress=postmaster@gedalya.net i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Interesting. Technically, every line of text should end with a newline. Your files had the last line of text unterminated - that's the kind of thing Windows text editors do.
On 05/20/2013 09:39 PM, Bu Xiaobing wrote:
Gedalya,
Thanks for your reply, it works now, and finally I find it was the format problem, there should been a return between there cert files when cat into one single file.
On 2013-5-18 17:48, Gedalya wrote:
On 05/18/2013 05:06 AM, Bu Xiaobing wrote:
I even cat mail.mymailserver.com.crt sub.class1.server.ca.pem certs/dovecot/ca.pem into one singe file, and define ssl_cert = < /path/to/the/singcertfile.pem, but it doesn't work too. That should be the correct way, but I think there shouldn't be a space after the < character. What exactly is the error you are getting?
You can troubleshoot with openssl s_client, this is from my server:
$ openssl s_client -connect 192.168.xxx.xxx:143 -starttls imap -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 description = 7t3YlXVfb6bVQ2pp, C = US, CN = mail.gedalya.net, emailAddress = ______@gedalya.net verify return:1
Certificate chain 0 s:/description=7t3YlXVfb6bVQ2pp/C=US/CN=mail.gedalya.net/emailAddress=postmaster@gedalya.net i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
participants (2)
-
Bu Xiaobing
-
Gedalya