Unexpected config results with local_name + multiple SSL certs
David Favor
david at davidfavor.com
Fri Mar 9 23:47:11 EET 2018
David Favor wrote:
> Working with SSL on fresh install of latest Ubuntu Artful + Dovecot
> seems broken somehow.
>
> Application is Dovecot listening for many SSL sites...
>
> Likely I've missed adding something simple to the config, related
> to local_name usage.
>
> Be great if someone can point out what I've missed, to setup
> multiple SSL certs for different host.domain entries in config.
>
> Thanks.
> _______
>
> This works as expected... where the SNI server name is returned...
>
> #local_name imap.cydec.com {
> ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
> ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem
> #}
>
> service dovecot restart && echo QUIT | openssl s_client -connect
> imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject
> subject=/CN=imap.cydec.com
> _______
>
> This fails...
>
> local_name imap.cydec.com {
> ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
> ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem
> }
>
> service dovecot restart && echo QUIT | openssl s_client -connect
> imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject
> # Empty, so no servername match
> _______
>
> Full openssl output shows no cert being returned...
>
> service dovecot restart && echo QUIT | openssl s_client -connect
> imap.cydec.com:993 -servername imap.cydec.com
> CONNECTED(00000004)
> write:errno=104
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 199 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1519576210
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: no
> ---
>
> _______
>
> Config seems correct, with local_name uncommented...
>
> dovecot -n
> # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
> # Pigeonhole version 0.4.16 (fed8554)
> # OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10
> auth_debug = yes
> auth_debug_passwords = yes
> auth_verbose = yes
> debug_log_path = /var/log/dovecot.log
> disable_plaintext_auth = no
> info_log_path = /var/log/dovecot.log
> log_path = /var/log/dovecot.log
> mail_debug = yes
> mail_location = mbox:~/mail:INBOX=/var/mail/%u
> namespace inbox {
> inbox = yes
> location =
> mailbox Drafts {
> special_use = \Drafts
> }
> mailbox Junk {
> special_use = \Junk
> }
> mailbox Sent {
> special_use = \Sent
> }
> mailbox "Sent Messages" {
> special_use = \Sent
> }
> mailbox Trash {
> special_use = \Trash
> }
> prefix =
> }
> passdb {
> args = dovecot
> driver = pam
> }
> protocols = " imap pop3"
> service imap-login {
> inet_listener imap {
> port = 0
> }
> inet_listener imaps {
> port = 993
> ssl = yes
> }
> }
> service pop3-login {
> inet_listener pop3 {
> port = 0
> }
> inet_listener pop3s {
> port = 995
> ssl = yes
> }
> }
> userdb {
> driver = passwd
> }
> local_name imap.cydec.com {
> ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
> ssl_key = # hidden, use -P to show it
> }
Be great if someone has suggestions of how to fix this.
Thanks.
More information about the dovecot
mailing list