I'm really racking my brain trying to figure this one out here. I am running a pop3 server for remote offices on CentOS 5.2. We purchased a SSL cert from Verisign and installed it on our dovecot server, but I continue to get failure problems with the cert and I don't know where to go from here.
here is some info about our config:
dovecot version:
# dovecot --version
1.0.7
hostname: pop.x10.com
dovecot.conf: # dovecot -n # 1.0.7: /etc/dovecot.conf base_dir: /var/run/dovecot/ log_path: /var/log/dovecot.log protocols: pop3 pop3s ssl_ca_file: /etc/pki/verisign/intermediate_ca.cer ssl_cert_file: /etc/pki/dovecot/certs/pop.x10.com.cer ssl_key_file: /etc/pki/dovecot/private/pop.x10.com.key ssl_cipher_list: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 verbose_ssl: yes login_dir: /var/run/dovecot//login login_executable: /usr/libexec/dovecot/pop3-login mail_executable: /usr/libexec/dovecot/pop3 mail_plugin_dir: /usr/lib/dovecot/pop3 pop3_client_workarounds: outlook-no-nuls auth default: passdb: driver: pam userdb: driver: passwd
and last but not least, here is my test from openssl. Mind you this fails as a "BAD" ssl cert in Evolution.
:~$ openssl s_client -ssl2 -connect pop.x10.com:995 CONNECTED(00000003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
As you can see, the certificate clearly fails. I don't know how to make this work at this point. Any thoughts or advice would be greatly appreciated.
-G
Geoff Sweet wrote:
and last but not least, here is my test from openssl. Mind you this fails as a "BAD" ssl cert in Evolution.
:~$ openssl s_client -ssl2 -connect pop.x10.com:995
Try -ssl3 here; you'll see more.
CONNECTED(00000003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
As you can see, the certificate clearly fails. I don't know how to make this work at this point. Any thoughts or advice would be greatly appreciated.
The cert fails because s_client(1) cannot find the root CA's you've chosen to trust. The same test will fail even with gmail's IMAP and POP3 servers. See the s_client(1) man page for the CApath and CAfile flags.
-- Sahil Tandon sahil@tandon.net
Ok so I downloaded the intermediate ca cert thing onto my local machine as intca.cer. Then I ran this command:
:~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995 CONNECTED(00000003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:/C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
Server certificate -----BEGIN CERTIFICATE----- MIIFVDCCBDygAwIBAgIQP9qDpsFNkAq3EZsq5A0jTjANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MTIxMTAwMDAw MFoXDTA5MTIxMTIzNTk1OVowgccxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo aW5ndG9uMQ8wDQYDVQQHFAZSZW50b24xJjAkBgNVBAoUHVgxMCBXaXJlbGVzcyBU ZWNobm9sb2d5LCBJbmMuMR8wHQYDVQQLFBZJbmZvcm1hdGlvbiBUZWNobm9sb2d5 MTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDUxFDASBgNVBAMUC3BvcC54MTAuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJGXMMLkbyNDIVzNv4IB00qqEp8Pg5f2zWU8uzL52w37JHLmAzfExu HU+6vQqMip65QEEefqRh9rrsKWzMHC3ecQ1H3Ca6CDxwSbGLk1FjWafDLK2Ms1+w chOkym9RvURMGn8IKQag1KQ8mZtPGM5z+50O6A6YHaLQUNVGW1mJ8wIDAQABo4IB 0zCCAc8wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRAYDVR0fBD0wOzA5oDegNYYz aHR0cDovL1NWUlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZTIwMDUu Y3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwHwYDVR0jBBgwFoAUb+yvoN2KpO/1KhBnLT9VgrzX7yUweQYIKwYB BQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20w QwYIKwYBBQUHMAKGN2h0dHA6Ly9TVlJTZWN1cmUtYWlhLnZlcmlzaWduLmNvbS9T VlJTZWN1cmUyMDA1LWFpYS5jZXIwbgYIKwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJ aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5KJYGDLvQUjibKaxLB4shBRgwJhYk aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEB BQUAA4IBAQA70R4JDVgQF7Rz/l26G0smMR2qjj3iOfggXOiE1zHVtyzWb/Q2yrIV kTkC558w73rE0/ScqFKa2HDHm3d6OHWXNRgr+2MW8rtuwFPaPko6mYkWeRE4a3HP VFE2iNOYfx5n5yovQOUbKOKn9jBnJu8L7+mVjmtdLTMLo6yKynrxCMOXrmHI4AkK QZgySYbm4JqkTz8+CPnT75bXAJdsFmqMiq3wTKDI2GbEGdCLEupCEEMcDi2mb/zA UQbon3cgfDGfkCKd91SzJT86c1IGStHNiuwgOHsM/cAmTobICdBeooBBGQlGZPZ1 E6ehkR3x1HVzD53zpE/rH4ejjhHZ3I02 -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
No client certificate CA names sent
SSL handshake has read 1964 bytes and written 317 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : SSLv3 Cipher : DHE-RSA-AES256-SHA Session-ID: F5FDC92F3DFEE11EABFECEF9ACAEA69F6E34B18A0DAEC225EE6C18398E86B418 Session-ID-ctx: Master-Key: E81D48B88F493F4BD35353079B7A596993D42C3E711F2E4DB79305E69C9D0CF97ED4A88941FE42B3BE012A3D507827C8 Key-Arg : None Compression: 1 (zlib compression) Start Time: 1230103587 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate)
+OK Dovecot ready.
And I still get those errors. Any thoughts?
-G
On Tue, 2008-12-23 at 23:46 -0500, Sahil Tandon wrote:
Geoff Sweet wrote:
and last but not least, here is my test from openssl. Mind you this fails as a "BAD" ssl cert in Evolution.
:~$ openssl s_client -ssl2 -connect pop.x10.com:995
Try -ssl3 here; you'll see more.
CONNECTED(00000003) depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify error:num=21:unable to verify the first certificate verify return:1 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
As you can see, the certificate clearly fails. I don't know how to make this work at this point. Any thoughts or advice would be greatly appreciated.
The cert fails because s_client(1) cannot find the root CA's you've chosen to trust. The same test will fail even with gmail's IMAP and POP3 servers. See the s_client(1) man page for the CApath and CAfile flags.
Geoff Sweet wrote:
Ok so I downloaded the intermediate ca cert thing onto my local machine as intca.cer. Then I ran this command:
:~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995
You're pointing to a *file* so you need -CAfile; not -CApath. But even after making that change, there appears to be a problem with your cert. To test, I downloaded common root certificates from the curl website and placed them in ~/CA. Then, the gmail cert verifies just fine:
% openssl s_client -ssl3 -CAfile ~/CA/cacert.pem -connect pop.gmail.com:995 -quiet depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com verify return:1 +OK Gpop ready for requests from 74.72.46.40 5pf1417126ywl.17
However, your server cert still fails. This may be related to the intermediate cert you define in dovecot.conf. I also noticed the zlib compression is turned on, whereas it is disabled on my own and many other POP and IMAP servers I tested.
This does not appear to be a dovecot issue; perhaps try the OpenSSL mailing list?
-- Sahil Tandon sahil@tandon.net
Oh, ok once I added the -CAfile change the cert verifies without issue.
openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995 -quiet depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify return:1 +OK Dovecot ready.
So does that mean I need to install the intermediate cert on all my clients that will be accessing this server? That's going to be a bit of a PITA...
-Geoff
On Wed, 2008-12-24 at 15:26 -0500, Sahil Tandon wrote:
Geoff Sweet wrote:
Ok so I downloaded the intermediate ca cert thing onto my local machine as intca.cer. Then I ran this command:
:~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995
You're pointing to a *file* so you need -CAfile; not -CApath. But even after making that change, there appears to be a problem with your cert. To test, I downloaded common root certificates from the curl website and placed them in ~/CA. Then, the gmail cert verifies just fine:
% openssl s_client -ssl3 -CAfile ~/CA/cacert.pem -connect pop.gmail.com:995 -quiet depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com verify return:1 +OK Gpop ready for requests from 74.72.46.40 5pf1417126ywl.17
However, your server cert still fails. This may be related to the intermediate cert you define in dovecot.conf. I also noticed the zlib compression is turned on, whereas it is disabled on my own and many other POP and IMAP servers I tested.
This does not appear to be a dovecot issue; perhaps try the OpenSSL mailing list?
Geoff Sweet wrote:
[Please do not top-post]
Oh, ok once I added the -CAfile change the cert verifies without issue.
That's because you installed the intermediate cert on your client; this should not be required.
openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995 -quiet depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify return:1 +OK Dovecot ready.
So does that mean I need to install the intermediate cert on all my clients that will be accessing this server? That's going to be a bit of a PITA...
No, you need to properly install and configure dovecot to see the intermediate cert on your server. See: http://www.verisign.com/support/advisories/page_040611.html
The article is quite dated, but might be helpful to you.
-- Sahil Tandon sahil@tandon.net
-----Oorspronkelijk bericht----- Van: dovecot-bounces+egbert=vandenbussche.nl@dovecot.org [mailto:dovecot-bounces+egbert=vandenbussche.nl@dovecot.org] Namens Sahil Tandon Verzonden: donderdag 25 december 2008 18:01 Aan: dovecot@dovecot.org Onderwerp: Re: [Dovecot] SSL cert problems.
Geoff Sweet wrote:
[Please do not top-post]
Oh, ok once I added the -CAfile change the cert verifies without issue.
That's because you installed the intermediate cert on your client; this should not be required.
openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995 -quiet depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify return:1 +OK Dovecot ready.
So does that mean I need to install the intermediate cert on all my clients that will be accessing this server? That's going to be a bit of a PITA...
No, you need to properly install and configure dovecot to see the intermediate cert on your server. See: http://www.verisign.com/support/advisories/page_040611.html
The article is quite dated, but might be helpful to you.
-- Sahil Tandon sahil@tandon.net
I use CACert free certificates (I'm a certifier myself) for my servers. In Dovecot I use:
# Disable SSL/TLS support. #ssl_disable = no
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert_file = /etc/pki/tls/certs/server.crt ssl_key_file = /etc/pki/tls/certs/server.key
# If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password =
# File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 ssl_ca_file = /etc/pki/tls/certs/cacert_class3.crt
# Request client to send a certificate. If you also want to require it, set # ssl_require_client_cert=yes in auth section. #ssl_verify_client_cert = no
Server.cert and .key is the issued certificate and key. I (mis)use the ssl_ca_cert parameter to insert the class3 certificate.
Egbert Jan (NL)
So my conf looks similar to yours:
# Disable SSL/TLS support. #ssl_disable = no
ssl_cert_file = /etc/pki/dovecot/certs/pop.x10.com.cer ssl_key_file = /etc/pki/dovecot/private/pop.x10.com.key
# If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password =
# File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 ssl_ca_file = /etc/pki/verisign/intermediate_ca.cer
# Request client to send a certificate. #ssl_verify_client_cert = no
and the ssl_ca_file is a copy and past from this: http://www.verisign.com/support/verisign-intermediate-ca/extended-validation...
Yet the cert still doesn't work. And the OpenSSL people are telling me this is an issue with my application, dovecot.
For reference this is all that is in my /etc/pki/verisign/intermediate_ca.cer:
-----BEGIN CERTIFICATE----- MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7 A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9 MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9 BxxsCzAwxw== -----END CERTIFICATE-----
Like I said, just a copy and paste from the Verisign site.
Any thoughts?
-Geoff
Still strange that Verisign is not already in your cert. store. Most browsers seem to have Verisign. I'm used to the fact that my CA (Cacert) is not included, being a small free CA. I often have to import class3 and root cert. which is not a big deal after all.
Only thing I can say about your problem is that the ---BEGIN CERTIFICATE--- line should be on a line by its own. It is a far shot but maybe it helps. We are dealing with security stuff and all files (and permissions!) are very strict. Your key file should be on 600.
Egbert Jan
-----Oorspronkelijk bericht----- Van: dovecot-bounces+egbert=vandenbussche.nl@dovecot.org [mailto:dovecot-bounces+egbert=vandenbussche.nl@dovecot.org] Namens Geoff Sweet Verzonden: maandag 29 december 2008 20:31 Aan: Dovecot Mailing List Onderwerp: Re: [Dovecot] SSL cert problems.
So my conf looks similar to yours:
# Disable SSL/TLS support. #ssl_disable = no
ssl_cert_file = /etc/pki/dovecot/certs/pop.x10.com.cer ssl_key_file = /etc/pki/dovecot/private/pop.x10.com.key
# If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password =
# File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 ssl_ca_file = /etc/pki/verisign/intermediate_ca.cer
# Request client to send a certificate. #ssl_verify_client_cert = no
and the ssl_ca_file is a copy and past from this: http://www.verisign.com/support/verisign-intermediate-ca/extended-validation /index.html
Yet the cert still doesn't work. And the OpenSSL people are telling me this is an issue with my application, dovecot.
For reference this is all that is in my /etc/pki/verisign/intermediate_ca.cer:
-----BEGIN CERTIFICATE----- MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7 A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9 MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9 BxxsCzAwxw== -----END CERTIFICATE-----
Like I said, just a copy and paste from the Verisign site.
Any thoughts?
-Geoff
Egbert Jan van den Bussche wrote:
Still strange that Verisign is not already in your cert. store. Most browsers seem to have Verisign. I'm used to the fact that my CA (Cacert) is not included, being a small free CA. I often have to import class3 and root cert. which is not a big deal after all.
The root verisign cert is likely in his cert store; however, the *intermediate* cert is not; that is expected to be on the server.
-- Sahil Tandon sahil@tandon.net
Ok, how about from a little different approach. How do I get debugging out of this thing?
I followed this:
http://wiki.dovecot.org/Logging
But I certainly don't consider what it produced in the way of output something I could consider "debug" logging. It never even once logged anything like directories it was looking in for SSL stuff, or acknowledged my connection with more then "TLS" in the connection line.
How do I get more logging out?
-G
On Mon, 2008-12-29 at 16:54 -0500, Sahil Tandon wrote:
Egbert Jan van den Bussche wrote:
Still strange that Verisign is not already in your cert. store. Most browsers seem to have Verisign. I'm used to the fact that my CA (Cacert) is not included, being a small free CA. I often have to import class3 and root cert. which is not a big deal after all.
The root verisign cert is likely in his cert store; however, the *intermediate* cert is not; that is expected to be on the server.
On Dec 29, 2008, at 2:31 PM, Geoff Sweet wrote:
So my conf looks similar to yours:
# Disable SSL/TLS support. #ssl_disable = no
ssl_cert_file = /etc/pki/dovecot/certs/pop.x10.com.cer ssl_key_file = /etc/pki/dovecot/private/pop.x10.com.key
# If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. #ssl_key_password =
# File containing trusted SSL certificate authorities. Usually not needed. # The CAfile should contain the CA-certificate(s) followed by the matching # CRL(s). CRL checking is new in dovecot .rc1 ssl_ca_file = /etc/pki/verisign/intermediate_ca.cer
Reading the openssl book on page 120(chapter 5) it says that you
should have the whole chain in one file. I see
that if you are using the SSL_CTX_use_certificate_chain_file
function(as dovecot1.2alpha4 ./login-common/ssl-proxy-openssl.c does),
you just need to put the whole chain in one file with the intermediate
SECOND and your certificate FIRST. The book also claims that you
should put the root certificate in here. I have seen conflicting
documentation on putting the root cert in here because as another
poster mentioned , you will never send it out. I may have missed a
post that had my info above so sorry if I'm giving already provided
information.
-Jonathan
# Request client to send a certificate. #ssl_verify_client_cert = no
and the ssl_ca_file is a copy and past from this: http://www.verisign.com/support/verisign-intermediate-ca/extended-validation...
Yet the cert still doesn't work. And the OpenSSL people are telling
me this is an issue with my application, dovecot.For reference this is all that is in my /etc/pki/verisign/intermediate_ca.cer:
-----BEGIN CERTIFICATE----- MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8 RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/ Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7 A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9 MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9 BxxsCzAwxw== -----END CERTIFICATE-----
Like I said, just a copy and paste from the Verisign site.
Any thoughts?
-Geoff
participants (4)
-
Egbert Jan van den Bussche
-
Geoff Sweet
-
Jonathan Siegle
-
Sahil Tandon