[Move mailboxes] 2.2.13 -> 2.3.13: Stuck on certificate verification
phren at ist-einmalig.de
phren at ist-einmalig.de
Mon Nov 15 15:42:56 UTC 2021
Hi,
I'm about to move all mailboxes from an old machine - running Dovecot 2.2.13 - to a new machine - running Dovecot 2.3.13 (89f716dc2). Cause the new machine is in a different location I must use SSL encryption.
I followed the guide's I found, but I stuck on certificate verification:
$ doveadm backup -Ru <user> tcps:<host>:12354
doveadm(<user>): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)
doveadm(<user>): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)
doveadm(<user>): Error: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=<host> (check ssl_client_ca_* settings?)
On port 12354 the server sends an incomplete certificate chain, whereas on port 993 everything is fine.
I read that the settings
- ssl_client_ca_dir
- ssl_client_ca_file
are not used on certificate verification for port 12354, one should use the setting
ssl_ca
Here are the non-default setting on the client side:
$ dovecot -n
# 2.3.13 (89f716dc2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.13 (cdd19fe3)
# OS: Linux 5.10.0-9-amd64 x86_64 Debian 11.1
...
ssl_ca = </etc/dovecot/dovecot_imap_chain.crt
ssl_cert = </etc/ssl/letsencrypt.org/<host>.combine.crt
ssl_cipher_list = EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+AES256:!aNULL:!eNULL:!LOW:!MEDIUM:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!CAMELLIA
ssl_client_ca_dir = /etc/ssl/certs
ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
...
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = yes
...
verbose_ssl = yes
ssl_verify_client_cert = yes
According to
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/
the setting
ssl_ca
should contain
Issuing CA cert
Issuing CA CRL
Intermediate CA cert
Intermediate CA CRL
Root CA cert
Root CA CRL
But how do I build this file?
I tried root certificate, root + intermediate certificate and root + intermediate + signed certificate. None of them made it work...
I'm completely stuck on how to make certificate verification work.
Can anyone give me a hint?
Thanks in advance.
More information about the dovecot
mailing list