[Move mailboxes] 2.2.13 -> 2.3.13: Stuck on certificate verification

phren at ist-einmalig.de phren at ist-einmalig.de
Mon Nov 15 15:42:56 UTC 2021 

Hi,

I'm about to move all mailboxes from an old machine - running Dovecot 2.2.13 - to a new machine - running Dovecot 2.3.13 (89f716dc2). Cause the new machine is in a different location I must use SSL encryption.

I followed the guide's I found, but I stuck on certificate verification:

$ doveadm backup -Ru <user> tcps:<host>:12354
doveadm(<user>): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)
doveadm(<user>): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)
doveadm(<user>): Error: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)

On port 12354 the server sends an incomplete certificate chain, whereas on port 993 everything is fine.

I read that the settings

- ssl_client_ca_dir
- ssl_client_ca_file

are not used on certificate verification for port 12354, one should use the setting

ssl_ca

Here are the non-default setting on the client side:

$ dovecot -n
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-9-amd64 x86_64 Debian 11.1
...
ssl_ca = </etc/dovecot/dovecot_imap_chain.crt
ssl_cert = </etc/ssl/letsencrypt.org/<host>.combine.crt
ssl_cipher_list = EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+AES256:!aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!CAMELLIA
ssl_client_ca_dir = /etc/ssl/certs
ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
...
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
...
verbose_ssl = yes
ssl_verify_client_cert = yes

According to

https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/

the setting

ssl_ca

should contain

    Issuing CA cert
    Issuing CA CRL
    Intermediate CA cert
    Intermediate CA CRL
    Root CA cert
    Root CA CRL

But how do I build this file?
I tried root certificate, root + intermediate certificate and root + intermediate + signed certificate. None of them made it work...
I'm completely stuck on how to make certificate verification work.

Can anyone give me a hint?
Thanks in advance.

More information about the dovecot mailing list