Received invalid SSL certificate: unable to get certificate CRL

Laura Smith n5d9xq3ti233xiyif2vp at protonmail.ch
Mon Jan 24 20:25:12 UTC 2022


I'm having a frustrating problem trying to use "doveadm sync" to pull mails off a server for migration purposes.

# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.17.1 (a1a0b892)
# OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2

I have tried both explicit "ssl_client_ca_dir = /etc/ssl/certs" and commenting it out (i.e. relying on OpenSSL default per the docs)

I always get the same:
Info: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 (check ssl_client_ca_* se
ttings?)
 Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Sec
urity Research Group/CN=ISRG Root X1 (check ssl_client_ca_* settings?) - disconnecting

openssl s_client -starttls imap -servername $name -connect $name:143 is happy though:

---
Certificate chain
 0 s:CN = <REDACTED>
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4954 bytes and written 412 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---





More information about the dovecot mailing list