[Dovecot] Problems with Dovecot and self-signed cert
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I've recently set up a Red Hat Enterprise Linux 4 WS server, and decided to try using Dovecot as my IMAP server, as I was impressed with the dedication to security that seems to be the core development goal. I'm really happy with it, but I can't get it to work with a self-signed cert.
Normally, on a RHEL system, you just go into /user/share/ssl/certs/ and type:
make whatever.pem
Then you fill out the various address fields, and you've got a cert.
However, when I rename/delete the existing dovecot.pem and generate a new one using this method, Dovecot won't start and I'm unable to connect to the box. The cert that it's currently using is called "localhost.localdomain", and while that works, mail clients gripe every time about the domain name not matching the certificate.
I've looked through the RHEL documentation, and it appears I'm doing everything correct. Anyone have any suggestions?
Seth H. Bokelman (Seth.Bokelman@UNI.edu) Systems Administrator ITS-Network Services, University of Northern Iowa 15 Curris Business Building, Cedar Falls, Iowa 50614 Phone: (319) 273-7423 http://www.sethb.com/ ICQ#: 6497760 MSN Messenger: seth.bokelman@uni.edu AOL/AIM: sethb2 Yahoo Messenger: sethbokelman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCG3QhOiUz+Af5BIIRAv0VAKCm9JlKio9Z9Dzdr+WnZVtoYBNVqACdHNQH TuiLbT6yIXmeJLFg9ggibcM= =yPVK -----END PGP SIGNATURE-----
Normally, on a RHEL system, you just go into /user/share/ssl/certs/ and
RHEL = Red Hat Enterprise Linux?
type:
make whatever.pem
go to /usr/local/share/doc/dovecot (on FreeBSD), edit example dovecot-openssl.cnf for your needs and run mkcert.sh
To do it "by hand" you've to type e.g.: (one line, then without "\")
openssl req -new -x509 -newkey rsa:1024 -nodes -keyout mykey.pem -out \ mycert-pem
Of course, this will ask you for some values for the DN as well and requires an working openssl.cnf (Use myimap.mydomain.dom for CN)
Then you fill out the various address fields, and you've got a cert.
However, when I rename/delete the existing dovecot.pem and generate a new one using this method, Dovecot won't start and I'm unable to connect to the box. The cert that it's currently using is called
Do use use also the newly generated private key?
"localhost.localdomain", and while that works, mail clients gripe every time about the domain name not matching the certificate.
So make it matching. Set CN=comon Name (openssl might ask for "Your Name")
A
--
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Yep, it's Red Hat Enterprise.
The "by hand" method worked, apparently Red Hat hasn't scripted DoveCot like they have their other certs, but it's up and running now. Thanks for your help!
Adam Pordzik wrote:
|> Normally, on a RHEL system, you just go into /user/share/ssl/certs/ and
|
|
| RHEL = Red Hat Enterprise Linux?
|
|> type:
|>
|> make whatever.pem
|
|
| go to /usr/local/share/doc/dovecot (on FreeBSD), edit example
| dovecot-openssl.cnf
| for your needs and run mkcert.sh
|
| To do it "by hand" you've to type e.g.: (one line, then without "\")
|
| openssl req -new -x509 -newkey rsa:1024 -nodes -keyout mykey.pem -out
| mycert-pem
|
| Of course, this will ask you for some values for the DN as well and
| requires an working openssl.cnf (Use myimap.mydomain.dom for CN)
|
|> Then you fill out the various address fields, and you've got a cert.
|
|
|> However, when I rename/delete the existing dovecot.pem and generate a
|> new one using this method, Dovecot won't start and I'm unable to connect
|> to the box. The cert that it's currently using is called
|
|
| Do use use also the newly generated private key?
|
|> "localhost.localdomain", and while that works, mail clients gripe every
|> time about the domain name not matching the certificate.
|
|
| So make it matching. Set CN=comon Name (openssl might ask for "Your Name")
|
|
|
| A
|
Seth H. Bokelman (Seth.Bokelman@UNI.edu) Systems Administrator ITS-Network Services, University of Northern Iowa 15 Curris Business Building, Cedar Falls, Iowa 50614 Phone: (319) 273-7423 http://www.sethb.com/ ICQ#: 6497760 MSN Messenger: seth.bokelman@uni.edu AOL/AIM: sethb2 Yahoo Messenger: sethbokelman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCG51pOiUz+Af5BIIRAjyIAJ9SVdRonBBFKC2OsBifAGmajg8uhwCguDYO +SapYFmzUedWJm+dKs+RA1w= =6Cr9 -----END PGP SIGNATURE-----
participants (2)
-
Adam Pordzik
-
Seth Bokelman