[Dovecot] chained ssl cert not working
I am running a production server with 40 pop3 users using dovecot 0.99.14. I am trying to get a chained certificate installed that I purchased through godaddy.com. I need some clarification on how to do this. I found some really vague instructions on the dovecot wiki http://wiki.dovecot.org/ChainedSSLCertificates?highlight=%28chained%29 Unfortunately these instructions are very confusing for me. I also found someone else who asked a similar question http://dovecot.org/list/dovecot/2005-June/007528.html
I have tried to get this to work, but have failed. Could someone please explain this better. I don't understand if all of these keys/certificates go into 1 file or what. I need an example if someone could be so kind as to take a moment of their time.
Thanks for any help.
On Tue, 2006-01-24 at 21:10 -0800, harryp@dmsnev.com wrote:
I am running a production server with 40 pop3 users using dovecot 0.99.14. I am trying to get a chained certificate installed that I purchased through godaddy.com. I need some clarification on how to do this. I found some really vague instructions on the dovecot wiki http://wiki.dovecot.org/ChainedSSLCertificates?highlight=%28chained%29 Unfortunately these instructions are very confusing for me.
Well, I'm not sure how to say it much clearer. And I haven't tried it myself either, but it should be done in Dovecot the same way as it's done with every other server using OpenSSL. You could try to look up the same instructions for eg. Apache, Postfix, or whatever server.
But as far as I know, it should work just by putting all the certificates in the chain into a single file, and pointing Dovecot to read that file as the certificate. So the cert file would be something like:
-----BEGIN CERTIFICATE----- first cert -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- second cert -----END CERTIFICATE-----
Hmm. I agree that the example names in the Wiki page can be a bit difficult to understand, unless you know what they mean. I'd guess it means there that Globalsign partners has signed TDC's CA certificate, which has signed TDC SSL Server CA's certificate, which has signed Local server public certificate.
Timo Sirainen wrote:
Well, I'm not sure how to say it much clearer. And I haven't tried it myself either, but it should be done in Dovecot the same way as it's done with every other server using OpenSSL. You could try to look up the same instructions for eg. Apache, Postfix, or whatever server.
But as far as I know, it should work just by putting all the certificates in the chain into a single file, and pointing Dovecot to read that file as the certificate. So the cert file would be something like:
-----BEGIN CERTIFICATE----- first cert -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- second cert -----END CERTIFICATE-----
Hmm. I agree that the example names in the Wiki page can be a bit difficult to understand, unless you know what they mean. I'd guess it means there that Globalsign partners has signed TDC's CA certificate, which has signed TDC SSL Server CA's certificate, which has signed Local server public certificate.
Well, I've just tried the chained certificate we were given by GlobalSign for another server, and it seems fine.
I pointed both ssl_key_file and ssl_cert_file at the same .pem containing :-
-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
Best Wishes, Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
Hey Chris and Tim thanks a bunch. I would like you to know that I am not a total moron : ) . I have used certs in appache, IIS and postfix in the past not to mention dovecot also. I just cant get dovecot to work with a chained certs. I have been given excelent examples by both of you guys and am going to give it another shot this weekend.
Thanks again.
Timo Sirainen wrote:
Well, I'm not sure how to say it much clearer. And I haven't tried it myself either, but it should be done in Dovecot the same way as it's done with every other server using OpenSSL. You could try to look up the same instructions for eg. Apache, Postfix, or whatever server.
But as far as I know, it should work just by putting all the certificates in the chain into a single file, and pointing Dovecot to read that file as the certificate. So the cert file would be something like:
-----BEGIN CERTIFICATE----- first cert -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- second cert -----END CERTIFICATE-----
Hmm. I agree that the example names in the Wiki page can be a bit difficult to understand, unless you know what they mean. I'd guess it means there that Globalsign partners has signed TDC's CA certificate, which has signed TDC SSL Server CA's certificate, which has signed Local server public certificate.
Well, I've just tried the chained certificate we were given by GlobalSign for another server, and it seems fine.
I pointed both ssl_key_file and ssl_cert_file at the same .pem containing :-
-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
Best Wishes, Chris
-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin@reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
participants (3)
-
Chris Wakelin
-
harryp@dmsnev.com
-
Timo Sirainen