service doveadm : ssl problems

Tobi tobster at brain-force.ch
Thu Nov 10 15:35:56 UTC 2016 

Have you specified the path to ca-certificates?
On Debian it's normally something like that

#10-ssl.conf
ssl_client_ca_dir = /etc/ssl/certs

see http://wiki.dovecot.org/Replication#SSL


Am 10.11.2016 um 16:09 schrieb nerbrume at free.fr:
> Hello,
> 
> I'm using dovecot 2.2.13 on Debian stable.
> My users are authenticated through PAM, and stored in an LDAP backend
> I'm trying to set-up replication with ssl, following (mainly) this : http://wiki2.dovecot.org/Replication
> 
> 1) I only diverted from the instructed setup by not setting "doveadm_port = 12345", as it would give me errors of the like:
>> Fatal: /var/run/dovecot/auth-userdb: Configured passdbs don't support crentials lookups (to see if user is proxied, because doveadm_port is set)
> but rather specifying the port in the mail_replica setting : "mail_replica = tcps:my.domain.com:1465"
> (following a mail from here : http://www.dovecot.org/list/dovecot/2016-September/105356.html)
> So far, this seems to be working for me.
> 
> 2) However, I'm having ssl problems. I have a let's encrypt certificate, and have concatened the CA cert and my server cert in a fullchain.pem.
> Excerpt from my ssl config :
>> ssl = yes
>> ssl_cert = </etc/letsencrypt/live/my.domain.com/fullchain.pem
>> ssl_key = </etc/letsencrypt/live/my.domain.comi/privkey.pem
> 
> doveadm return me these errors (sudo -u dovecot doveadm -v sync -u user tcps:my.domain.com:12345) :
>> doveadm(casoli): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com
>> doveadm(casoli): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com
>> doveadm(casoli): Fatal: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com
> 
> Which I can reproduce with openssl (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:12345) :
>> (...)
>> Verify return code: 21 (unable to verify the first certificate)
> Indeed, in this case, dovecot only returns the local part of the certificate (my.domain.com), and not the full chain (with the intermediate CA).
> 
> While testing regular IMAPS with openssl is ok (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:993)
>> (...)
>> Verify return code: 0 (ok)
> And I can see the full chain.
> 
> 
> So, it's seems to me that doveadm is somehow wrongly serving my certificate, truncating it, but I can't see why, and if this is a misconfiguratin on my part.
> I can post more config files or message outputs if needed, I kept them redacted here for the sake of brevity.
> 
> Regards,
> N
>

More information about the dovecot mailing list