Dovecot 2.3.0 TLS
Aki Tuomi
aki.tuomi at dovecot.fi
Thu Jan 11 13:22:07 EET 2018
On 11.01.2018 13:20, Hauke Fath wrote:
> On Thu, 11 Jan 2018 12:20:45 +0200, Aki Tuomi wrote:
>> Was the certificate path bundled in the server certificate?
> No, as a separate file, provided from the local (intermediate) CA:
>
> ssl_cert = </etc/openssl/certs/server.cert
> ssl_key = </etc/openssl/private/server.key
> ssl_ca = </etc/openssl/certs/ca-cert-chain.pem
>
> Worked fine with 2.2.x, 2.3 gives
>
> % openssl s_client -connect XXX:993
> CONNECTED(00000006)
> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
> Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
> i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
> Darmstadt/CN=TUD CA G01/emailAddress=tud-ca at hrz.tu-darmstadt.de
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> [...]
> %
>
Seems we might've made a unexpected change here when we revamped the ssl
code. Can you try if it works if you concatenate the cert and cert-chain
to single file? We'll start looking if this is misunderstanding or bug.
Aki
More information about the dovecot
mailing list