Unexpected config results with local_name + multiple SSL certs
Working with SSL on fresh install of latest Ubuntu Artful + Dovecot seems broken somehow.
Application is Dovecot listening for many SSL sites...
Likely I've missed adding something simple to the config, related to local_name usage.
Be great if someone can point out what I've missed, to setup multiple SSL certs for different host.domain entries in config.
Thanks.
This works as expected... where the SNI server name is returned...
#local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem #}
service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject subject=/CN=imap.cydec.com
This fails...
local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem }
service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject # Empty, so no servername match
Full openssl output shows no cert being returned...
service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com CONNECTED(00000004) write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 199 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1519576210 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no
Config seems correct, with local_name uncommented...
dovecot -n # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10 auth_debug = yes auth_debug_passwords = yes auth_verbose = yes debug_log_path = /var/log/dovecot.log disable_plaintext_auth = no info_log_path = /var/log/dovecot.log log_path = /var/log/dovecot.log mail_debug = yes mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = dovecot driver = pam } protocols = " imap pop3" service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } userdb { driver = passwd } local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = # hidden, use -P to show it }
David Favor wrote:
Working with SSL on fresh install of latest Ubuntu Artful + Dovecot seems broken somehow.
Application is Dovecot listening for many SSL sites...
Likely I've missed adding something simple to the config, related to local_name usage.
Be great if someone can point out what I've missed, to setup multiple SSL certs for different host.domain entries in config.
Thanks.
This works as expected... where the SNI server name is returned...
#local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem #}
service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject subject=/CN=imap.cydec.com
This fails...
local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem }
service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject # Empty, so no servername match
Full openssl output shows no cert being returned...
service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com CONNECTED(00000004) write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 199 bytes Verification: OK
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1519576210 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no
Config seems correct, with local_name uncommented...
dovecot -n # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10 auth_debug = yes auth_debug_passwords = yes auth_verbose = yes debug_log_path = /var/log/dovecot.log disable_plaintext_auth = no info_log_path = /var/log/dovecot.log log_path = /var/log/dovecot.log mail_debug = yes mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = dovecot driver = pam } protocols = " imap pop3" service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } userdb { driver = passwd } local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = # hidden, use -P to show it }
Be great if someone has suggestions of how to fix this.
Thanks.
On 2018-02-25 (09:31 MST), David Favor <david@davidfavor.com> wrote:
} local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = # hidden, use -P to show it }
Doesn't this still require a default t(top level) cert besides the one specified for local_name?
Also, is there any reason to use local_name if your local name matches your server? the point is to be able to provide a cert for example.org when your domain is example.com, right?
-- Don't congratulate yourself too much, or berate yourself either. You choices are half chance; so are everybody else's.
participants (3)
-
@lbutlr
-
Aki Tuomi
-
David Favor