Hello,
I'm trying to configure roundcube / dovecot to work with keycloak. I activated xoauth2 oauthbearer in dovecot. But a problem occurs when dovecot tries to contact the keycloak server (logs are below).
My problem looks like this one: https://dovecot.org/pipermail/dovecot/2019-December/117768.html The response to this problem was about a bug in oauth driver (https://dovecot.org/pipermail/dovecot/2019-December/117787.html).
Mizuki was using Dovecot v2.2.36 (1f10bfa63) I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4)
I'm wondering if this bug is still present in my version or if I have another problem.
Both my servers (dovecot and keycloak) are using let's encrypt certificates. I tried to configure Keycloak with nginx proxy and without it (access via port 8443) (in case the problem came from the ssl config on the keycloak server), but still the same error.
If the bug is fixed, then could someone tell me what do I have to put in the option tls_ca_cert_file?
I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I got from let's encrypt website (https://letsencrypt.org/certificates/ / tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1)) But I always have the same error.
Thanks, Kenny
My configs:
- I'm on a Debian Buster with Dovecot / postfix / roundcube
- dovecot -n :
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.19.0-5-cloud-amd64 x86_64 Debian 10.4 auth_debug = yes auth_mechanisms = xoauth2 oauthbearer login auth_verbose = yes debug_log_path = /var/log/dovecot-debug.log first_valid_gid = 10000 first_valid_uid = 10000 info_log_path = /var/log/dovecot.log last_valid_gid = 20000 last_valid_uid = 20000 lda_mailbox_autocreate = yes log_path = /var/log/dovecot.log mail_debug = yes mail_gid = mail mail_location = maildir:~/Maildir mail_privileged_group = mail namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } passdb { args = /etc/dovecot/dovecot-oauth2.conf.ext driver = oauth2 mechanisms = xoauth2 oauthbearer } plugin { sieve = file:~/sieve;active=~/.dovecot.sieve } protocols = " imap" service auth { unix_listener /var/spool/postfix/private/auth { mode = 0600 user = postfix } unix_listener auth-master { mode = 0600 user = mail } unix_listener auth-userdb { mode = 0600 user = mail } } service stats { unix_listener stats-reader { mode = 0600 user = mail } unix_listener stats-writer { mode = 0600 user = mail } } ssl_cert = </etc/letsencrypt/live/my.host/fullchain.pem ssl_client_ca_dir = /etc/ssl/certs ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it ssl_prefer_server_ciphers = yes ssl_require_crl = no userdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } userdb { args = gid=mail home=/var/mail/%u driver = static } verbose_ssl = yes protocol lda { info_log_path = /var/log/dovecot-deliver.log log_path = /var/log/dovecot-deliver-errors.log }
- dovecot-oauth2.conf.ext
tokeninfo_url = https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token introspection_mode = post introspection_url = https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token... username_attribute = email tls_ca_cert_file = /etc/letsencrypt/live/my.host/chain.pem #tls_ca_cert_file = /etc/ssl/certs/letsencrypt.pem #active_attribute = enableMail #active_value = TRUE debug = yes rawlog_dir = /tmp/oauth2
- Logs:
Jul 04 17:00:12 auth: Debug: oauth2(my.mail@whatever,::1,<fG8uk6CpBJ0AAAAAAAAAAAAAAAAAAAAB>): oauth2: Making token validation lookup to https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: Host created Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: Host session created Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: IPs have expired; need to refresh DNS lookup Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: Performing asynchronous DNS lookup Jul 04 17:00:12 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...... (long token)]: Submitted (requests left=1) Jul 04 17:00:12 auth: Debug: http-client: host my.keycloak.host: DNS lookup successful; got 1 IPs Jul 04 17:00:12 auth: Debug: http-client: peer 151.62.56.14 (shared): Peer created Jul 04 17:00:12 auth: Debug: http-client: peer 151.62.56.14: Peer pool created Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Peer created Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Setting up connection to 151.62.56.14 (SSL=my.keycloak.host) (1 requests pending) Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Linked queue https://my.keycloak.host (1 queues linked) Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Started new connection to 151.62.56.14 (SSL=my.keycloak.host) Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Making new connection 1 of 1 (0 connections exist, 0 pending) Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: (151.62.56.14): Connecting Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: (151.62.56.14): Waiting for connect (fd=22) to finish for max 0 msecs Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: HTTPS connection created (1 parallel connections exist) Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: (151.62.56.14): Client connected (fd=22) Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Connected Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Starting SSL handshake Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x10, ret=1: before SSL initialization Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: before SSL initialization Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write client hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write client hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write client hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write client hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read server hello Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL error: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read server certificate Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read server key exchange Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read server done Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write client key exchange Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write change cipher spec Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write finished
==> dovecot.log <== Jul 04 17:00:12 auth: Info: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
==> dovecot-debug.log <== Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=-1: SSLv3/TLS write finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS write finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read change cipher spec Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1001, ret=1: SSLv3/TLS read finished Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x20, ret=1: SSL negotiation finished successfully Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL: where=0x1002, ret=1: SSL negotiation finished successfully Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL error: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Connection failed (1 connections exist, 0 pending) Jul 04 17:00:12 auth: Debug: http-client: peer 151.62.56.14: Failed to make connection (1 connections exist, 0 pending) Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Failed to establish any connection within our peer pool: SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (1 connections exist, 0 pending) Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Failed to set up connection to 151.62.56.14 (SSL=my.keycloak.host): SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (1 peers pending, 1 requests pending) Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Failed to set up any connection; failing all queued requests Jul 04 17:00:12 auth: Debug: http-client[1]: peer 151.62.56.14: Unlinked queue https://my.keycloak.host (0 queues linked) Jul 04 17:00:12 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...... (long token)]: Error: 9003 SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: http-client[1]: queue https://my.keycloak.host: Dropping request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...... (long token)] Jul 04 17:00:12 auth: Debug: oauth2(my.mail@whatever,::1,<fG8uk6CpBJ0AAAAAAAAAAAAAAAAAAAAB>): oauth2: callback(-1, SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3)
==> dovecot.log <== Jul 04 17:00:12 auth: Error: oauth2(my.mail@whatever,::1,<fG8uk6CpBJ0AAAAAAAAAAAAAAAAAAAAB>): oauth2 failed: SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
==> dovecot-debug.log <== Jul 04 17:00:12 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...... (long token)]: Destroy (requests left=1) Jul 04 17:00:12 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...... (long token)]: Free (requests left=0) Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: SSL handshaking with 151.62.56.14 failed: read(SSL 151.62.56.14) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Connection close Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Connection disconnect Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: (151.62.56.14): Disconnected: Connection closed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (fd=22) Jul 04 17:00:12 auth: Debug: my.keycloak.host: SSL error: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Detached peer Jul 04 17:00:12 auth: Debug: http-client[1]: conn 151.62.56.14 [0]: Connection destroy
On 04/07/2020 21:12 la.jolie@paquerette <la.jolie@paquerette.org> wrote:
Hello,
I'm trying to configure roundcube / dovecot to work with keycloak. I activated xoauth2 oauthbearer in dovecot. But a problem occurs when dovecot tries to contact the keycloak server (logs are below).
My problem looks like this one: https://dovecot.org/pipermail/dovecot/2019-December/117768.html The response to this problem was about a bug in oauth driver (https://dovecot.org/pipermail/dovecot/2019-December/117787.html).
Mizuki was using Dovecot v2.2.36 (1f10bfa63) I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4)
I'm wondering if this bug is still present in my version or if I have another problem.
Both my servers (dovecot and keycloak) are using let's encrypt certificates. I tried to configure Keycloak with nginx proxy and without it (access via port 8443) (in case the problem came from the ssl config on the keycloak server), but still the same error.
If the bug is fixed, then could someone tell me what do I have to put in the option tls_ca_cert_file?
I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I got from let's encrypt website (https://letsencrypt.org/certificates/ / tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1)) But I always have the same error.
Thanks, Kenny
Hi!
Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org
Aki
On 05/07/2020 19:43 Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 04/07/2020 21:12 la.jolie@paquerette <la.jolie@paquerette.org> wrote:
Hello,
I'm trying to configure roundcube / dovecot to work with keycloak. I activated xoauth2 oauthbearer in dovecot. But a problem occurs when dovecot tries to contact the keycloak server (logs are below).
My problem looks like this one: https://dovecot.org/pipermail/dovecot/2019-December/117768.html The response to this problem was about a bug in oauth driver (https://dovecot.org/pipermail/dovecot/2019-December/117787.html).
Mizuki was using Dovecot v2.2.36 (1f10bfa63) I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4)
I'm wondering if this bug is still present in my version or if I have another problem.
Both my servers (dovecot and keycloak) are using let's encrypt certificates. I tried to configure Keycloak with nginx proxy and without it (access via port 8443) (in case the problem came from the ssl config on the keycloak server), but still the same error.
If the bug is fixed, then could someone tell me what do I have to put in the option tls_ca_cert_file?
I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I got from let's encrypt website (https://letsencrypt.org/certificates/ / tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1)) But I always have the same error.
Thanks, Kenny
Hi!
Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org
Aki
Also can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is.
Aki
On 5/07/20 18:46, Aki Tuomi wrote:
On 05/07/2020 19:43 Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 04/07/2020 21:12 la.jolie@paquerette <la.jolie@paquerette.org> wrote:
Hello,
I'm trying to configure roundcube / dovecot to work with keycloak. I activated xoauth2 oauthbearer in dovecot. But a problem occurs when dovecot tries to contact the keycloak server (logs are below).
My problem looks like this one: https://dovecot.org/pipermail/dovecot/2019-December/117768.html The response to this problem was about a bug in oauth driver (https://dovecot.org/pipermail/dovecot/2019-December/117787.html).
Mizuki was using Dovecot v2.2.36 (1f10bfa63) I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4)
I'm wondering if this bug is still present in my version or if I have another problem.
Both my servers (dovecot and keycloak) are using let's encrypt certificates. I tried to configure Keycloak with nginx proxy and without it (access via port 8443) (in case the problem came from the ssl config on the keycloak server), but still the same error.
If the bug is fixed, then could someone tell me what do I have to put in the option tls_ca_cert_file?
I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I got from let's encrypt website (https://letsencrypt.org/certificates/ / tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1)) But I always have the same error.
Thanks, Kenny
Hi!
Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org
Aki Also can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is.
Aki
Hello Aki,
First, big thanks for your time and help. Much appreciated.
I tried v2.3.10.1 (from debian testing) but same error.
Now about the root certificate, I'm not sure what to try other than the 3 I tried.
When looking on the web for Let's encrypt Root certificate, all seems to point to the one I tried: https://letsencrypt.org/certificates/
Isn't the ISRG Root X1 Certificate the root certificate for Let's Encrypt?
Here you can find the answer to the openssl command "openssl s_client -connect my.keycloak.host:443 -showcerts":
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = my.keycloak.host verify return:1
Certificate chain 0 s:CN = my.keycloak.host i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFUjCCBDqgAwIBAgISAx2F9yjviDB2PVmEPxMp0YaWMA0GCSqGSIb3DQEBCwUA ...... (more lines) i8cgf5H57alS0qMUZqirusmCFeksfg== -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ...... (more lines) KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
Server certificate subject=CN = my.keycloak.host
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 3176 bytes and written 390 bytes Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: EB85C94956267BF141...... Session-ID-ctx: Master-Key: 84AA20A5DD8FB18ABF1....... PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 7b e4 1a e2 e3 f7 b3 94-15 5f 0e 7a 47 9b 8c fb {........_.zG... .... (9 more lines like this) 00a0 - ee 75 9a f6 1b 74 8c ad-c0 4f f7 e0 fd 15 54 04 .u...t...O....T.
Start Time: 1594040666 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes
Thanks, Kenny
On 6/07/20 15:23, la.jolie@paquerette wrote:
On 5/07/20 18:46, Aki Tuomi wrote:
On 05/07/2020 19:43 Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
On 04/07/2020 21:12 la.jolie@paquerette <la.jolie@paquerette.org> wrote:
Hello,
I'm trying to configure roundcube / dovecot to work with keycloak. I activated xoauth2 oauthbearer in dovecot. But a problem occurs when dovecot tries to contact the keycloak server (logs are below).
My problem looks like this one: https://dovecot.org/pipermail/dovecot/2019-December/117768.html The response to this problem was about a bug in oauth driver (https://dovecot.org/pipermail/dovecot/2019-December/117787.html).
Mizuki was using Dovecot v2.2.36 (1f10bfa63) I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4)
I'm wondering if this bug is still present in my version or if I have another problem.
Both my servers (dovecot and keycloak) are using let's encrypt certificates. I tried to configure Keycloak with nginx proxy and without it (access via port 8443) (in case the problem came from the ssl config on the keycloak server), but still the same error.
If the bug is fixed, then could someone tell me what do I have to put in the option tls_ca_cert_file?
I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I got from let's encrypt website (https://letsencrypt.org/certificates/ / tried ISRG Root X1 (self-signed) & Let’s Encrypt Authority X3 (IdenTrust cross-signed) & Let’s Encrypt Authority X3 (Signed by ISRG Root X1)) But I always have the same error.
Thanks, Kenny
Hi!
Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org
Aki Also can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is.
Aki Hello Aki,
First, big thanks for your time and help. Much appreciated.
I tried v2.3.10.1 (from debian testing) but same error.
Now about the root certificate, I'm not sure what to try other than the 3 I tried.
When looking on the web for Let's encrypt Root certificate, all seems to point to the one I tried: https://letsencrypt.org/certificates/
Isn't the ISRG Root X1 Certificate the root certificate for Let's Encrypt?
Here you can find the answer to the openssl command "openssl s_client -connect my.keycloak.host:443 -showcerts":
CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = my.keycloak.host verify return:1
Certificate chain 0 s:CN = my.keycloak.host i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFUjCCBDqgAwIBAgISAx2F9yjviDB2PVmEPxMp0YaWMA0GCSqGSIb3DQEBCwUA ...... (more lines) i8cgf5H57alS0qMUZqirusmCFeksfg== -----END CERTIFICATE----- 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ...... (more lines) KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
Server certificate subject=CN = my.keycloak.host
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 3176 bytes and written 390 bytes Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: EB85C94956267BF141...... Session-ID-ctx: Master-Key: 84AA20A5DD8FB18ABF1....... PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - 7b e4 1a e2 e3 f7 b3 94-15 5f 0e 7a 47 9b 8c fb {........_.zG... .... (9 more lines like this) 00a0 - ee 75 9a f6 1b 74 8c ad-c0 4f f7 e0 fd 15 54 04 .u...t...O....T.
Start Time: 1594040666 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes
Thanks, Kenny
I finally found that Root certificate. But frankly, what a nightmare to find it.
If someone else is in the same predicament, here is where you can find it: link Base64 Root Certificate.
- Go here: https://letsencrypt.org/certificates/
- Click on the link Download “TrustID X3 Root” on identrust.com (https://www.identrust.com/support/downloads)
- Go all the way down to the section TrustID X3 and click on the last
- Copy the cert into a file.
I went back to v2.3.4.1 (Debian Buster version) and I can confirm it works too.
So no problem with Dovecot.
Thanks again for your help Aki.
Kenny
participants (2)
-
Aki Tuomi
-
la.jolie@paquerette