[Dovecot] SSL cert problems.
Egbert Jan van den Bussche
egbert at vandenbussche.nl
Fri Dec 26 12:50:02 EET 2008
-----Oorspronkelijk bericht-----
Van: dovecot-bounces+egbert=vandenbussche.nl at dovecot.org
[mailto:dovecot-bounces+egbert=vandenbussche.nl at dovecot.org] Namens Sahil
Tandon
Verzonden: donderdag 25 december 2008 18:01
Aan: dovecot at dovecot.org
Onderwerp: Re: [Dovecot] SSL cert problems.
Geoff Sweet wrote:
[Please do not top-post]
> Oh, ok once I added the -CAfile change the cert verifies without
> issue.
That's because you installed the intermediate cert on your client; this
should not be required.
> openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995
> -quiet depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary
> Certification Authority
> verify return:1
> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
> at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server
> CA
> verify return:1
> depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> (c)05/CN=pop.x10.com
> verify return:1
> +OK Dovecot ready.
>
> So does that mean I need to install the intermediate cert on all my
> clients that will be accessing this server? That's going to be a bit
> of a PITA...
No, you need to properly install and configure dovecot to see the
intermediate cert on your server. See:
http://www.verisign.com/support/advisories/page_040611.html
The article is quite dated, but might be helpful to you.
--
Sahil Tandon <sahil at tandon.net>
I use CACert free certificates (I'm a certifier myself) for my servers. In
Dovecot I use:
# Disable SSL/TLS support.
#ssl_disable = no
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened
before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert_file = /etc/pki/tls/certs/server.crt
ssl_key_file = /etc/pki/tls/certs/server.key
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter.
#ssl_key_password =
# File containing trusted SSL certificate authorities. Usually not needed.
# The CAfile should contain the CA-certificate(s) followed by the matching
# CRL(s). CRL checking is new in dovecot .rc1
ssl_ca_file = /etc/pki/tls/certs/cacert_class3.crt
# Request client to send a certificate. If you also want to require it, set
# ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
Server.cert and .key is the issued certificate and key.
I (mis)use the ssl_ca_cert parameter to insert the class3 certificate.
Egbert Jan (NL)
More information about the dovecot
mailing list