Upgrading to v2.3.X breaks ssl san?

Aki Tuomi aki.tuomi at open-xchange.com
Tue Aug 6 23:04:29 EEST 2019


> On 06/08/2019 22:49 telsch via dovecot <dovecot at dovecot.org> wrote:
> 
> 
> Hello,
>  
>  using letsencrypt ssl certs with san works perfectly with 2.2.34, but
>  after uprading to 2.3.4.1 it couldn't verified (also tried v2.3.7.1).
>  
>  i connect to imap.myserver.lan
>  
>  the cn of the cert is myserver.lan and has the san imap.myserver.lan
>  
>  openssl s_client -connect imap.myserver.lan:993
>  CONNECTED(00000005)
>  depth=0 CN = imap.myserver.lan
>  verify error:num=20:unable to get local issuer certificate
>  verify return:1
>  depth=0 CN = imap.myserver.lan
>  verify error:num=21:unable to verify the first certificate
>  verify return:1
>  ---
>  Certificate chain
>  0 s:CN = imap.myserver.lan
>  i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  
>  
> if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's working with 2.3.X
>  
> ssl_ca = </etc/ssl/ca-bundle.pem
>  ssl_cert = </etc/ssl-imap.pem

ssl_ca is not supposed to be automatically cat'ed into the certificate. The correct way is to put cert and leafs to the cert in order towrads root into ssl-imap.pem. ssl_ca is intended for verifying clients connecting to the server.

Aki


More information about the dovecot mailing list