Multidomain ssl config ?
Christian Kivalo
ml+dovecot at valo.at
Wed Jun 29 20:04:59 UTC 2022
On 2022-06-29 22:00, Jürgen Echter wrote:
> Am Mittwoch, Juni 29, 2022 21:24 CEST, schrieb Maurizio Caloro
> <mauric at gmx.ch>:
>
>> on postfix now this seems to run, and with dovecot i need also handle
>> this two domains,
>> but appairing this error messages. like:
>>
>> Jun 29 20:49:28 Dovecot/imap-login: Info: Disconnected (no auth
>> attempts in 0 secs): user=<>,
>> rip=a.b.c.d, lip=37.120.190.188, TLS handshaking: SSL_accept() failed:
>> error:14094416:SSL routines:
>> ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46,
>> session=<FdklDjkdfrkfi>
>>
>> Running with Debian Buster
>>
>> # dovecot --version
>> 2.3.4.1 (f79e8e7e4)
>>
>> # nmail.caloro.ch
>> local_name nmail.caloro.ch {
>> ssl_cert = </etc/letsencrypt/live/nmail.caloro.ch/privkey.pem
>> ssl_key = </etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem
>> }
>> # nmail.calm-ness.ch
>> local_name nmail.calm-ness.ch {
>> ssl_cert = </etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem
>> ssl_key = </etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem
>> }
>>
>> thanks for possible help
>>
>>
>>
>
> Hi,
>
> the config says "You will still need a top-level default ssl_key and
> ssl_cert as well, or you will receive errors."
>
> I don't know if this is also a must have for SNI, as it is noted for
> multipe certifcates per IP.
>
> https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#dovecot-ssl-configuration
This is also true for SNI.
From the config snippet above, configure the cert/key for
nmail.caloro.ch as default ssl_cert / ssl_key, so without the local_name
nmail.caloro.ch.
The nmail.calm-ness.ch can stay as is and will be served when requested
through SNI.
--
Christian Kivalo
More information about the dovecot
mailing list