how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
Hi everyone,
I'm trying to setup dovecot to accept only client certificates created with a private CA: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca =
At the same time, dovecot is setup with an SSL certificate created by a public CA (let's encrypt): ssl = required ssl_cert =
When I try to connect to the server with a client (evolution), I get a connection error: "Client did not present valid SSL certificate" except that it is valid.
As you probably already know, let's encrypt does not create client certificates. It seems that using a different CA for client certificates and for the server certificate is unsupported.
Am I missing something?
Jean-Christophe
Citeren jean-christophe manciot actionmystique@gmail.com:
Hi everyone,
I'm trying to setup dovecot to accept only client certificates created with a private CA: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca =
This is wrong, you should enter your private CA here. If
'ssl_verify_client_cert' is not set to 'yes', this field should
generally be empty / not configured.
At the same time, dovecot is setup with an SSL certificate created by a public CA (let's encrypt): ssl = required ssl_cert =
When I try to connect to the server with a client (evolution), I get a connection error: "Client did not present valid SSL certificate" except that it is valid.
As you probably already know, let's encrypt does not create client
certificates. It seems that using a different CA for client certificates and for the server certificate is unsupported.Am I missing something?
@build+dovecot@de-korte.org
ssl_ca = contains actually the private CA certificate bundled with the private CA CRL.
ssl_cert = contains the public server certificate bundled with Let's encrypt CA X3 cross-signed certificate.
Maybe the latter should rather contain the root and intermediate certificates.
On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte build+dovecot@de-korte.org wrote:
Citeren jean-christophe manciot actionmystique@gmail.com:
Hi everyone,
I'm trying to setup dovecot to accept only client certificates created with a private CA: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca =
This is wrong, you should enter your private CA here. If 'ssl_verify_client_cert' is not set to 'yes', this field should generally be empty / not configured.
At the same time, dovecot is setup with an SSL certificate created by a public CA (let's encrypt): ssl = required ssl_cert =
When I try to connect to the server with a client (evolution), I get a connection error: "Client did not present valid SSL certificate" except that it is valid.
As you probably already know, let's encrypt does not create client certificates. It seems that using a different CA for client certificates and for the server certificate is unsupported.
Am I missing something?
-- Jean-Christophe
I forgot to say that this mail server has been working perfectly for many years (but without client certificates).
On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot actionmystique@gmail.com wrote:
@build+dovecot@de-korte.org
ssl_ca = contains actually the private CA certificate bundled with the private CA CRL.
ssl_cert = contains the public server certificate bundled with Let's encrypt CA X3 cross-signed certificate.
Maybe the latter should rather contain the root and intermediate certificates.
On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte build+dovecot@de-korte.org wrote:
Citeren jean-christophe manciot actionmystique@gmail.com:
Hi everyone,
I'm trying to setup dovecot to accept only client certificates created with a private CA: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca =
This is wrong, you should enter your private CA here. If 'ssl_verify_client_cert' is not set to 'yes', this field should generally be empty / not configured.
At the same time, dovecot is setup with an SSL certificate created by a public CA (let's encrypt): ssl = required ssl_cert =
When I try to connect to the server with a client (evolution), I get a connection error: "Client did not present valid SSL certificate" except that it is valid.
As you probably already know, let's encrypt does not create client certificates. It seems that using a different CA for client certificates and for the server certificate is unsupported.
Am I missing something?
-- Jean-Christophe
-- Jean-Christophe
Have you added your root CA to where the rest of the ca certs are stored on your distribution?
I forgot to say that this mail server has been working perfectly for many years (but without client certificates).
On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot actionmystique@gmail.com wrote:
@build+dovecot@de-korte.org
ssl_ca = contains actually the private CA certificate bundled with the private CA CRL.
ssl_cert = contains the public server certificate bundled with Let's encrypt CA X3 cross-signed certificate.
Maybe the latter should rather contain the root and intermediate
certificates.
On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte build+dovecot@de-korte.org wrote:
Citeren jean-christophe manciot actionmystique@gmail.com:
Hi everyone,
I'm trying to setup dovecot to accept only client certificates
with a private CA: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca =
This is wrong, you should enter your private CA here. If 'ssl_verify_client_cert' is not set to 'yes', this field should generally be empty / not configured.
At the same time, dovecot is setup with an SSL certificate created by a public CA (let's encrypt): ssl = required ssl_cert =
When I try to connect to the server with a client (evolution), I get a connection error: "Client did not present valid SSL certificate" except that it is valid.
As you probably already know, let's encrypt does not create client certificates. It seems that using a different CA for client certificates and for
created the
server certificate is unsupported.
Am I missing something?
participants (3)
-
Arjen de Korte
-
jean-christophe manciot
-
Marc