Server certificate verification error with Dovecot 2.3.2.1
I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL certificate authority provides a bundle containing their CA, plus intermediate CAs, which I configure using the 'ssl_ca' option. The comments in the configuration file say to only set this when you're requiring client certificates, which I'm not, but fetchmail complains with a "Server certificate verification error, Broken certificate chain" error if that setting is not set. This works fine with Dovecot 2.2.34.
After upgrading to 2.3.2.1, fetchmail throws that error whether 'ssl_ca' is set or not. Dovecot 2.3.2.1 reports the error
SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
in the logs when attempting the TLS handshake. The permissions on the CA bundle haven't changed and should still be readable by Dovecot.
I'm running Gentoo Linux on x86_64 and mail is stored on an ext4 file system. I'm attaching my config files for both Dovecot 2.2.34 and Dovecot 2.3.2.1.
You are supposed to put the intermediates into the cert file after the cert in order from cert to root. ssl_ca is not used for this. ---Aki TuomiDovecot oy -------- Original message --------From: Robert Gill locke@sdf.lonestar.org Date: 13/09/2018 01:00 (GMT+02:00) To: dovecot@dovecot.org Subject: Server certificate verification error with Dovecot 2.3.2.1 I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL certificate authority provides a bundle containing their CA, plus intermediate CAs, which I configure using the 'ssl_ca' option. The comments in the configuration file say to only set this when you're requiring client certificates, which I'm not, but fetchmail complains with a "Server certificate verification error, Broken certificate chain" error if that setting is not set. This works fine with Dovecot 2.2.34.
After upgrading to 2.3.2.1, fetchmail throws that error whether 'ssl_ca' is set or not. Dovecot 2.3.2.1 reports the error
SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 in the logs when attempting the TLS handshake. The permissions on the CA bundle haven't changed and should still be readable by Dovecot.
I'm running Gentoo Linux on x86_64 and mail is stored on an ext4 file system. I'm attaching my config files for both Dovecot 2.2.34 and Dovecot 2.3.2.1.
On Wed, 12 Sep 2018, Robert Gill wrote:
I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL certificate authority provides a bundle containing their CA, plus intermediate CAs, which I configure using the 'ssl_ca' option. The comments in the configuration file say to only set this when you're requiring client certificates, which I'm not, but fetchmail complains with a "Server certificate verification error, Broken certificate chain" error if that setting is not set. This works fine with Dovecot 2.2.34.
Try creating your certificate by appending all your server and intermediate certs in this order into one file
server certificate
intermediate certificate 1
intermediate certificate 2
...where the chain works toward the root CA. You don't need the root CA as your client ought to anchor the chain with its own CA store. Then set the value of ssl_cert to this file.
Joseph Tam jtam.home@gmail.com
On Thu, Sep 13, 2018 at 05:59:16AM +0300, Aki Tuomi wrote:
You are supposed to put the intermediates into the cert file after the cert in order from cert to root. ssl_ca is not used for this. ---Aki TuomiDovecot oy
On Wed, Sep 12, 2018 at 11:43:23PM -0700, Joseph Tam wrote:
Try creating your certificate by appending all your server and intermediate certs in this order into one file
server certificate intermediate certificate 1 intermediate certificate 2 ...where the chain works toward the root CA. You don't need the root CA as your client ought to anchor the chain with its own CA store. Then set the value of ssl_cert to this file.
Joseph Tam jtam.home@gmail.com
Thanks, I concatenated the CA bundle onto my cert file and everything seems to work now.
participants (3)
-
Aki Tuomi
-
Joseph Tam
-
Robert Gill