[Dovecot] SSL with startssl.com certificates

Dan Langille dan at langille.org
Fri Sep 13 17:18:54 EEST 2013


On 2013-09-13 09:18, Oscar del Rio wrote:
> On 09/13/13 07:59 AM, Dan Langille wrote:
> I'm using Dovecot 2.2.5.  I'm setting up and new IMAPS server for 
> personal use (i.e. only me).
> 
> I have success with self-signed certificates but not with others (e.g. 
> StartSSL.com)
> 
> /usr/local/etc/ssl/imaps.unixathome.org.crt contains only the cert 
> issued by StartSSL
> 
> 
> Maybe you are missing some of the certificate chain.
> http://wiki2.dovecot.org/SSL/DovecotConfiguration
> "Chained SSL certificates"

I tried that yesterday and it seemed to make no difference.
My attempts were based on 
http://openssl.6102.n7.nabble.com/check-certificate-chain-in-a-pem-file-td43871.html

Perhaps I am doing the chain incorrectly.  I just tried again.  The 
server is now set up with the following:

I have three certs in this chain file:

cat imaps.unixathome.org.pem sub.class1.server.ca.pem ca.pem > 
testing.chain.pem

1 - the certificate issued by startssl for my server
2 & 3 - the PEM files for StartSSL as found at 
http://www.startssl.com/certs/

I am not convinced that I have the appropriate PEM files for StartSSL.

I verified the cert chain:

# openssl verify -CAfile testing.chain.pem imaps.unixathome.org.crt
imaps.unixathome.org.crt: OK

When I test the connection, I see:

$ openssl s_client -connect imaps.unixathome.org:993 -quiet
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
IDLE AUTH=PLAIN] Dovecot ready.


Ideas?

-- 
Dan Langille - http://langille.org/


More information about the dovecot mailing list