I'm getting this in the log when proxying IMAP (three "valid certificate" messages, two "Invalid certificate" messages)

Why is dovecot (acting as a proxy to another dovecot instance here) not recognizing the StartCom Extended Validation Server CA?

. LOGIN ralf.hildebrandt@charite.de mypassword Sep 25 14:13:04 auth-worker(30859): Info: mysql(sql.charite.de): Connected to database mailservice Sep 25 14:13:04 imap-login: Debug: SSL: where=0x10, ret=1: before/connect initialization [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: before/connect initialization [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: unknown state [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: unknown state [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server hello A [127.0.0.1] Sep 25 14:13:04 imap-login: Info: Invalid certificate: unable to get local issuer certificate: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA Sep 25 14:13:04 imap-login: Info: Invalid certificate: certificate not trusted: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=DE/ST=Berlin/L=Berlin/postalCode=12205/street=Charitestrasse 1/O=Charite Universitaetsmedizin/CN=imap.charite.de/emailAddress=postmaster@charite.de/serialNumber=HRAxxxx/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.1=Mitte/1.3.6.1.4.1.311.60.2.1.2=Berlin/1.3.6.1.4.1.311.60.2.1.3=DE Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA Sep 25 14:13:04 imap-login: Info: Valid certificate: /C=DE/ST=Berlin/L=Berlin/postalCode=12205/street=Charitestrasse 1/O=Charite Universitaetsmedizin/CN=imap.charite.de/emailAddress=postmaster@charite.de/serialNumber=HRAxxxx/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.1=Mitte/1.3.6.1.4.1.311.60.2.1.2=Berlin/1.3.6.1.4.1.311.60.2.1.3=DE Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server certificate A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server key exchange A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server done A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write client key exchange A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write change cipher spec A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 write finished A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 flush data [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: SSLv3 read server session ticket A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=-1: SSLv3 read server session ticket A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read server session ticket A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1001, ret=1: SSLv3 read finished A [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [127.0.0.1] Sep 25 14:13:04 imap-login: Debug: SSL: where=0x1002, ret=1: SSL negotiation finished successfully [127.0.0.1] . OK [CAPABILITY ...

-- [*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein