Dovecot dsync tcps sends incomplete certificate chain

Thu Jan 5 00:20:54 UTC 2017

On 01/04/2017 08:40 PM, Juri wrote:
> Hi,
> I'm trying to configure a Dovecot dsync service between two servers, using a tcp+ssl connection and
> a valid Let's Encrypt certificate.
> I followed the guide on the wiki (http://wiki.dovecot.org/Replication) using the tcps method, but
> when I launch the replication it fails writing on the log (/var/log/mail.err):
> (Server 1 - sync "client" )| Error: sync: Disconnected from remote: Received invalid SSL
> certificate: unable to get local issuer certificate: /CN=mail.dividebyzero.it
> (Server 2 - sync "server")| Error: doveadm client disconnected before handshake: <no error>
>
> If I try to connect to the server using openssl s_client, on the port 993 (imaps) the server
> correctly sends the full chain:
> $ openssl s_client -connect server1.fqdn:993
> CONNECTED(00000003)
> depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify return:1
> depth=0 CN = mail.dividebyzero.it
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=mail.dividebyzero.it
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ...
>
> while on the doveadm port it fails:
> $ openssl s_client -connect server1.fqdn:7557
> CONNECTED(00000003)
> depth=0 CN = mail.dividebyzero.it
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = mail.dividebyzero.it
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=mail.dividebyzero.it
> i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ...
>
> I run Dovecot 2.2.13 on Debian 8.6:
> $ dovecot -n
> # 2.2.13: /etc/dovecot/dovecot.conf
> # OS: Linux 3.16.0-4-amd64 x86_64 Debian 8.6
> auth_default_realm = dividebyzero.it
> auth_mechanisms = plain login
> doveadm_password = (redacted)
> doveadm_port = 7557
> mail_location = maildir:~/Maildir
> mail_plugins = " notify replication"
> namespace inbox { (removed) }
> passdb {
> driver = pam
> }
> passdb {
> args = username_format=%n /etc/vmail/%d/passwd
> driver = passwd-file
> }
> plugin {
> mail_replica = tcps:otherserver.fqdn
> }
> protocols = " imap lmtp"
> service aggregator {
> fifo_listener replication-notify-fifo {
> user = dovecot
> }
> unix_listener replication-notify {
> user = dovecot
> }
> }
> service auth {
> unix_listener auth-client {
> group = Debian-exim
> mode = 0660
> }
> unix_listener auth-userdb {
> user = vmail
> }
> }
> service doveadm {
> inet_listener {
> port = 7557
> ssl = yes
> }
> }
> service imap-login {
> inet_listener imap {
> port = 143
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
> service replicator {
> process_min_avail = 1
> unix_listener replicator-doveadm {
> mode = 0666
> }
> }
> ssl = required
> ssl_cert = </etc/letsencrypt/live/mail.dividebyzero.it/fullchain.pem
> ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem
> ssl_key = </etc/letsencrypt/live/mail.dividebyzero.it/privkey.pem
> userdb {
> driver = passwd
> }
> userdb {
> args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n
> driver = static
> }
>
> Is it a known problem, or has it been resolved in a subsequent version?
> If it is not, can you suggest me a workaround in the meantime?
> Thank you.
I would do those test using the -CAfile parameter to be sure of the
local certificate file being used:

openssl s_client -connect server1.fqdn:993 -CAfile /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem
openssl s_client -connect server1.fqdn:7557 -CAfile /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem

You should also be able to see the problem using the verify command directly (on the cert copied from the remote server) 
openssl verify -CAfile /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem fullchain_copied_from_remote_server.pem

This error happens when the local CA file or directory that is specified
does not contain the root certificate or the root certificate and
intermediate ones in the case that the intermediates are not supplied by
the server. My understanding is that Dovecot supplies the intermediate
certificates both for replication and imap services if they are in the
server certificate file. So you should be able to solve this by making
the root certificate available to Dovecot (parameter
ssl_client_ca_file). In the worst case you can concatenate the
intermediate and root certificates.

The certificate you are likely missing is the root certificate:

/O=Digital Signature Trust Co./CN=DST Root CA X3

You can follow the link on this page for it: https://letsencrypt.org/certificates/
(link DST Root CA X3.)

I recently set up replication following the wiki and I think you
deviated from the instructions at this point:
"The client must be able to verify that the SSL certificate is valid, so
you need to specify the directory/file containing valid SSL CA roots:

ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat"

At least when I followed this for Centos using the Redhat setting it worked. The DST root certification was already in that file. You might have the same luck by following the indications for Debian: 
ssl_client_ca_dir = /etc/ssl/certs (and removing your ssl_client_ca_file setting). If not putting the right root or chain into the file is your alternative option.

John