Hi!
It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this.
Aki
On 06/12/2019 16:42 mizuki <mizuki0621@gmail.com> wrote:
Hi,
For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( Mizuki
On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
Is the key/cert pair readable by dovecot user? auth process does not run as root.
You can add
service auth {
extra_groups = ssl_cert
}
and chgrp the cert to ssl_cert to allow access to the cert.
Aki
On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote:
I changed some of the tls options following the document, now config is following:
tokeninfo_url = https://keycloak.com/auth/realms/mail/protocol/openid-connect/token introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realm... introspection_mode = post debug = yes rawlog_dir = /tmp/oauth2 #force_introspection = yes username_attribute = username #active_attribute = active #active_value = true tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem tls_key_file = /etc/pki/dovecot/private/dovecot.pem
The debug log is showing now slightly different msg ex:
Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate.
Still not able to connect to the keyclaok server. :(
PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured.
Thanks!
Mizuki
On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi@open-xchange.com> wrote:
Before declaring it not ready for prime time, did you try setting
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
In the oauth2 configuration file as documented in https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
Aki
On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org> wrote:
Hi all,
We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish the connections.
Great, thank you so much Aki! Please let me know when the fix is available and I will help test in our environment. We'd really like to enable this feature. Thanks again. Mizuki
On Fri, Dec 6, 2019 at 2:54 PM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
Hi!
It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this.
Aki
On 06/12/2019 16:42 mizuki <mizuki0621@gmail.com> wrote:
Hi,
For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( Mizuki
On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
Is the key/cert pair readable by dovecot user? auth process does not
run as root.
You can add
service auth {
extra_groups = ssl_cert
}
and chgrp the cert to ssl_cert to allow access to the cert.
Aki
On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote:
I changed some of the tls options following the document, now config
tokeninfo_url =
https://keycloak.com/auth/realms/mail/protocol/openid-connect/token
introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realm... introspection_mode = post debug = yes rawlog_dir = /tmp/oauth2 #force_introspection = yes username_attribute = username #active_attribute = active #active_value = true tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem tls_key_file = /etc/pki/dovecot/private/dovecot.pem
The debug log is showing now slightly different msg ex:
Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate.
Still not able to connect to the keyclaok server. :(
PS: Dovecot & Keycloak severs are both using the same legit cert/key
is following: pair with CA file configured.
Thanks!
Mizuki
On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi <
aki.tuomi@open-xchange.com> wrote:
Before declaring it not ready for prime time, did you try setting
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
In the oauth2 configuration file as documented in
https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
Aki
On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org>
wrote:
Hi all,
We'd like to enable OAuth with Keycloak in Dovecot, after
enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish the connections.
On 06/12/2019 20:54, Aki Tuomi via dovecot wrote:
Hi!
It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this.
Tracking as DOP-1590.
Regards,
Stephan.
On 06/12/2019 16:42 mizuki <mizuki0621@gmail.com> wrote:
Hi,
For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( Mizuki
On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
Is the key/cert pair readable by dovecot user? auth process does not run as root.
You can add
service auth {
extra_groups = ssl_cert
}
and chgrp the cert to ssl_cert to allow access to the cert.
Aki
On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote:
I changed some of the tls options following the document, now config is following:
tokeninfo_url = https://keycloak.com/auth/realms/mail/protocol/openid-connect/token introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realm... introspection_mode = post debug = yes rawlog_dir = /tmp/oauth2 #force_introspection = yes username_attribute = username #active_attribute = active #active_value = true tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem tls_key_file = /etc/pki/dovecot/private/dovecot.pem
The debug log is showing now slightly different msg ex:
Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate.
Still not able to connect to the keyclaok server. :(
PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured.
Thanks!
Mizuki
On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi@open-xchange.com> wrote:
Before declaring it not ready for prime time, did you try setting
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
In the oauth2 configuration file as documented in https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
Aki
On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org> wrote:
Hi all,
We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish the connections.
Thank you Stephan,
I'm wondering if I can read the track of the status of bug reports? Could you please advice? Thanks. Mizuki
On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch <stephan@rename-it.nl> wrote:
On 06/12/2019 20:54, Aki Tuomi via dovecot wrote:
Hi!
It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this.
Tracking as DOP-1590.
Regards,
Stephan.
On 06/12/2019 16:42 mizuki <mizuki0621@gmail.com> wrote:
Hi,
For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( Mizuki
On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi@open-xchange.com> wrote:
Is the key/cert pair readable by dovecot user? auth process does not
run as root.
You can add
service auth {
extra_groups = ssl_cert
}
and chgrp the cert to ssl_cert to allow access to the cert.
Aki
On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote:
I changed some of the tls options following the document, now config
tokeninfo_url =
https://keycloak.com/auth/realms/mail/protocol/openid-connect/token
introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realm... introspection_mode = post debug = yes rawlog_dir = /tmp/oauth2 #force_introspection = yes username_attribute = username #active_attribute = active #active_value = true tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem tls_key_file = /etc/pki/dovecot/private/dovecot.pem
The debug log is showing now slightly different msg ex:
Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate.
Still not able to connect to the keyclaok server. :(
PS: Dovecot & Keycloak severs are both using the same legit cert/key
is following: pair with CA file configured.
Thanks!
Mizuki
On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi@open-xchange.com>
wrote:
Before declaring it not ready for prime time, did you try setting
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
In the oauth2 configuration file as documented in
https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
Aki
> On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org>
wrote:
> > > Hi all, > > We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish the connections. >
Op 10-12-2019 om 16:44 schreef mizuki:
Thank you Stephan,
I'm wondering if I can read the track of the status of bug reports? Could you please advice?
No, this is for our own internal reference.
Thanks. Mizuki
On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch <stephan@rename-it.nl <mailto:stephan@rename-it.nl>> wrote:
On 06/12/2019 20:54, Aki Tuomi via dovecot wrote: > Hi! > > It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this. Tracking as DOP-1590. Regards, Stephan. >> On 06/12/2019 16:42 mizuki <mizuki0621@gmail.com <mailto:mizuki0621@gmail.com>> wrote: >> >> >> Hi, >> >> For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( >> Mizuki >> >> >> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi@open-xchange.com <mailto:aki.tuomi@open-xchange.com>> wrote: >>> >>> Is the key/cert pair readable by dovecot user? auth process does not run as root. >>> >>> >>> >>> >>> You can add >>> >>> >>> >>> >>> service auth { >>> >>> extra_groups = ssl_cert >>> >>> } >>> >>> >>> >>> >>> and chgrp the cert to ssl_cert to allow access to the cert. >>> >>> >>> >>> >>> Aki >>> >>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> I changed some of the tls options following the document, now config is following: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> tokeninfo_url = https://keycloak.com/auth/realms/mail/protocol/openid-connect/token >>>> introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect >>>> introspection_mode = post >>>> debug = yes >>>> rawlog_dir = /tmp/oauth2 >>>> #force_introspection = yes >>>> username_attribute = username >>>> #active_attribute = active >>>> #active_value = true >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem >>>> >>>> >>>> --------------- >>>> >>>> >>>> >>>> >>>> The debug log is showing now slightly different msg ex: >>>> >>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate. >>>> >>>> >>>> >>>> >>>> Still not able to connect to the keyclaok server. :( >>>> >>>> >>>> >>>> >>>> >>>> PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured. >>>> >>>> >>>> >>>> >>>> Thanks! >>>> >>>> Mizuki >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi@open-xchange.com <mailto:aki.tuomi@open-xchange.com>> wrote: >>>> >>>> >>>>> Before declaring it not ready for prime time, did you try setting >>>>> >>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt >>>>> >>>>> In the oauth2 configuration file as documented in https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? >>>>> >>>>> Aki >>>>> >>>>>> On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org <mailto:dovecot@dovecot.org>> wrote: >>>>>> >>>>>> >>>>>> Hi all, >>>>>> >>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish the connections. >>>>>>
participants (3)
-
Aki Tuomi
-
mizuki
-
Stephan Bosch