service doveadm : ssl problems

nerbrume at free.fr nerbrume at free.fr
Thu Nov 10 20:04:19 UTC 2016


----- Mail original -----
> De: "Tobi" <tobster at brain-force.ch>
> À: dovecot at dovecot.org
> Envoyé: Jeudi 10 Novembre 2016 16:35:56
> Objet: Re: service doveadm : ssl problems
> 
> Have you specified the path to ca-certificates?
> On Debian it's normally something like that
> 
> #10-ssl.conf
> ssl_client_ca_dir = /etc/ssl/certs

Yup, I did exactly that, sorry I forgot to include that part in the excerpt from my ssl config.
However, as far as I understood, this is of no impact when I test with openssl, right ?
(for the record, I also tried to manually add the intermediate ca (Let’s Encrypt Authority X3) in the /etc/ssl/certs dir, without any luck)

N.

> see http://wiki.dovecot.org/Replication#SSL
> 
> 
> Am 10.11.2016 um 16:09 schrieb nerbrume at free.fr:
> > Hello,
> > 
> > I'm using dovecot 2.2.13 on Debian stable.
> > My users are authenticated through PAM, and stored in an LDAP
> > backend
> > I'm trying to set-up replication with ssl, following (mainly) this
> > : http://wiki2.dovecot.org/Replication
> > 
> > 1) I only diverted from the instructed setup by not setting
> > "doveadm_port = 12345", as it would give me errors of the like:
> >> Fatal: /var/run/dovecot/auth-userdb: Configured passdbs don't
> >> support crentials lookups (to see if user is proxied, because
> >> doveadm_port is set)
> > but rather specifying the port in the mail_replica setting :
> > "mail_replica = tcps:my.domain.com:1465"
> > (following a mail from here :
> > http://www.dovecot.org/list/dovecot/2016-September/105356.html)
> > So far, this seems to be working for me.
> > 
> > 2) However, I'm having ssl problems. I have a let's encrypt
> > certificate, and have concatened the CA cert and my server cert in
> > a fullchain.pem.
> > Excerpt from my ssl config :
> >> ssl = yes
> >> ssl_cert = </etc/letsencrypt/live/my.domain.com/fullchain.pem
> >> ssl_key = </etc/letsencrypt/live/my.domain.comi/privkey.pem
> > 
> > doveadm return me these errors (sudo -u dovecot doveadm -v sync -u
> > user tcps:my.domain.com:12345) :
> >> doveadm(casoli): Info: Received invalid SSL certificate: unable to
> >> get local issuer certificate: /CN=my.domain.com
> >> doveadm(casoli): Error: doveadm server disconnected before
> >> handshake: Received invalid SSL certificate: unable to get local
> >> issuer certificate: /CN=my.domain.com
> >> doveadm(casoli): Fatal: Disconnected from remote: Received invalid
> >> SSL certificate: unable to get local issuer certificate:
> >> /CN=my.domain.com
> > 
> > Which I can reproduce with openssl (openssl s_client -showcerts
> > -CApath /etc/ssl/certs -connect my.domain.com:12345) :
> >> (...)
> >> Verify return code: 21 (unable to verify the first certificate)
> > Indeed, in this case, dovecot only returns the local part of the
> > certificate (my.domain.com), and not the full chain (with the
> > intermediate CA).
> > 
> > While testing regular IMAPS with openssl is ok (openssl s_client
> > -showcerts -CApath /etc/ssl/certs -connect my.domain.com:993)
> >> (...)
> >> Verify return code: 0 (ok)
> > And I can see the full chain.
> > 
> > 
> > So, it's seems to me that doveadm is somehow wrongly serving my
> > certificate, truncating it, but I can't see why, and if this is a
> > misconfiguratin on my part.
> > I can post more config files or message outputs if needed, I kept
> > them redacted here for the sake of brevity.
> > 
> > Regards,
> > N
> > 
> 


More information about the dovecot mailing list