Server certificate verification error with Dovecot 2.3.2.1

Aki Tuomi aki.tuomi at dovecot.fi
Thu Sep 13 05:59:16 EEST 2018


You are supposed to put the intermediates into the cert file after the cert in order from cert to root. ssl_ca is not used for this.
---Aki TuomiDovecot oy
-------- Original message --------From: Robert Gill <locke at sdf.lonestar.org> Date: 13/09/2018  01:00  (GMT+02:00) To: dovecot at dovecot.org Subject: Server certificate verification error with Dovecot 2.3.2.1 
I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL
certificate authority provides a bundle containing their CA, plus
intermediate CAs, which I configure using the 'ssl_ca' option. The
comments in the configuration file say to only set this when you're
requiring client certificates, which I'm not, but fetchmail complains
with a "Server certificate verification error, Broken certificate chain"
error if that setting is not set. This works fine with Dovecot 2.2.34.

After upgrading to 2.3.2.1, fetchmail throws that error whether 'ssl_ca'
is set or not. Dovecot 2.3.2.1 reports the error

  SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
  
in the logs when attempting the TLS handshake. The permissions on the CA
bundle haven't changed and should still be readable by Dovecot.

I'm running Gentoo Linux on x86_64 and mail is stored on an ext4 file
system. I'm attaching my config files for both Dovecot 2.2.34 and
Dovecot 2.3.2.1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180913/b989f759/attachment.html>


More information about the dovecot mailing list