[Dovecot] Dovecot SSL-Certificate
Hello,
I've a not really dovecot specific problem with my certificate. Since the OpenSSL documentation isn't what I expect to be at least good, I hope someone here can give me a hint how/where fo fix it; I've created a root-Certificate with almost untouched openssl.cnf and issued a server-certificate for dovecot. This cert and it's key I placed in somewhat like /var/dovecot. To state explicitly, away from it's superior root-cert.
So, a:
openssl s_client -connect server.tektoform.lan:993 -showcerts
ends up in:
unable to get local issuer certificate.
Althougt connections from clients are working, I prefer to set it up cleanly. Does openssl-clientlib looks up for openssl.cnf, where the place of root-CA-cert is denoted, or do I have to put all cert together in a single directory, or, or, or ...?
Or to be more verbose for "openssl s_client":
CONNECTED(00000003) depth=0 /C=DE/ST=Hamburg/L=Hamburg/O=d-dt/OU=lan/CN=server.tektoform.lan/emailAddress=hostmaster@tektoform.lan verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DE/ST=Hamburg/L=Hamburg/O=d-dt/OU=lan/CN=server.tektoform.lan/emailAddress=hostmaster@tektoform.lan verify error:num=27:certificate not trusted verify return:1 depth=0 /C=DE/ST=Hamburg/L=Hamburg/O=d-dt/OU=lan/CN=server.tektoform.lan/emailAddress=hostmaster@tektoform.lan verify error:num=21:unable to verify the first certificate verify return:1
Thanks for your comments.
A
--
Adam Pordzik wrote:
Hello,
I've a not really dovecot specific problem with my certificate. Since the OpenSSL documentation isn't what I expect to be at least good, I hope someone here can give me a hint how/where fo fix it; I've created a root-Certificate with almost untouched openssl.cnf and issued a server-certificate for dovecot. This cert and it's key I placed in somewhat like /var/dovecot. To state explicitly, away from it's superior root-cert.
So, a:
openssl s_client -connect server.tektoform.lan:993 -showcerts
ends up in:
unable to get local issuer certificate.
Althougt connections from clients are working, I prefer to set it up cleanly. Does openssl-clientlib looks up for openssl.cnf, where the place of root-CA-cert is denoted, or do I have to put all cert together in a single directory, or, or, or ...?
If you have clients using OpenSSL, libssl will look for root certificates by looking for a file named <hash>.0 in the certs directory (/etc/ssl/certs on Debian), where <hash> is the string you get if you pass the certificate to "openssl x509 -hash" (see x509(1ssl)). Typically, you create a symlink by that name to the more readably-named certificate file.
I hope that helps!
-- Magnus Holmgren Linköping, Sweden
participants (2)
-
Adam Pordzik
-
Magnus Holmgren