[Dovecot] SSL cert problems.

Tue Dec 30 02:13:33 EET 2008

On Dec 29, 2008, at 2:31 PM, Geoff Sweet wrote:

> So my conf looks similar to yours:
>
> # Disable SSL/TLS support.
> #ssl_disable = no
>
> ssl_cert_file = /etc/pki/dovecot/certs/pop.x10.com.cer
> ssl_key_file =  /etc/pki/dovecot/private/pop.x10.com.key
>
> # If key file is password protected, give the password here.
> Alternatively
> # give it when starting dovecot with -p parameter.
> #ssl_key_password =
>
> # File containing trusted SSL certificate authorities. Usually not
> needed.
> # The CAfile should contain the CA-certificate(s) followed by the
> matching
> # CRL(s). CRL checking is new in dovecot .rc1
> ssl_ca_file = /etc/pki/verisign/intermediate_ca.cer
>

Reading the openssl book on page 120(chapter 5) it says that you  
should have the whole chain in one file. I see
that if you are using the SSL_CTX_use_certificate_chain_file  
function(as dovecot1.2alpha4 ./login-common/ssl-proxy-openssl.c does),  
you just need to put the whole chain in one file with the intermediate  
SECOND and  your certificate FIRST. The book also claims that you  
should put the root certificate in here. I have seen conflicting  
documentation on putting the root cert in here because as another  
poster mentioned , you will never send it out. I may have missed a  
post that had my info above so sorry if I'm giving already provided  
information.

-Jonathan

> # Request client to send a certificate.
> #ssl_verify_client_cert = no
>
> and the ssl_ca_file is a copy and past from this:
> http://www.verisign.com/support/verisign-intermediate-ca/extended-validation/index.html
>
> Yet the cert still doesn't work.  And the OpenSSL people are telling  
> me
> this is an issue with my application, dovecot.
>
> For reference this is all that is in
> my /etc/pki/verisign/intermediate_ca.cer:
>
> -----BEGIN CERTIFICATE-----
> MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf
> MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
> LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
> HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
> FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
> dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
> ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
> IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
> MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
> RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
> ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
> TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
> Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
> iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
> AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
> dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt
> BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa
> BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j
> b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc
> aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw
> MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr
> BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT
> MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs
> aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7
> A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS
> hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9
> MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9
> BxxsCzAwxw==
> -----END CERTIFICATE-----
>
>
> Like I said, just a copy and paste from the Verisign site.
>
> Any thoughts?
>
> -Geoff
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2541 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20081229/f8df1967/attachment-0001.bin 