how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA

jean-christophe manciot actionmystique at gmail.com
Mon Aug 8 17:05:33 UTC 2022 

I forgot to say that this mail server has been working perfectly for
many years (but without client certificates).

On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot
<actionmystique at gmail.com> wrote:
>
> @build+dovecot at de-korte.org
>
> ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
> <ssl_ca> contains actually the private CA certificate bundled with the
> private CA CRL.
>
> ssl_cert = </etc/ssl/fullchain.pem
> <ssl_cert> contains the public server certificate bundled with Let's
> encrypt CA X3 cross-signed certificate.
>
> Maybe the latter should rather contain the root and intermediate certificates.
>
> On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte
> <build+dovecot at de-korte.org> wrote:
> >
> > Citeren jean-christophe manciot <actionmystique at gmail.com>:
> >
> > > Hi everyone,
> > >
> > > I'm trying to setup dovecot to accept only client certificates created
> > > with a private CA:
> > > auth_ssl_require_client_cert = yes
> > > ssl_verify_client_cert = yes
> > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
> >
> > This is wrong, you should enter your private CA here. If
> > 'ssl_verify_client_cert' is not set to 'yes', this field should
> > generally be empty / not configured.
> >
> > > At the same time, dovecot is setup with an SSL certificate created by
> > > a public CA (let's encrypt):
> > > ssl = required
> > > ssl_cert = </etc/ssl/fullchain.pem
> > > ssl_key = </etc/ssl/key.pem
> > >
> > > When I try to connect to the server with a client (evolution), I get a
> > > connection error:
> > > "Client did not present valid SSL certificate" except that it is valid.
> > >
> > > As you probably already know, let's encrypt does not create client
> > > certificates.
> > > It seems that using a different CA for client certificates and for the
> > > server certificate is unsupported.
> > >
> > > Am I missing something?
> >
> >
> >
>
>
> --
> Jean-Christophe



-- 
Jean-Christophe

More information about the dovecot mailing list