<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>2.2.10 is quite old. try reproducing this with .36 or 2.3.2.1</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">---<div>Aki Tuomi</div><div>Dovecot oy</div></div><div><br></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Original message --------</div><div>From: Martin Johannes Dauser <mdauser@cs.sbg.ac.at> </div><div>Date: 31/08/2018 13:10 (GMT+02:00) </div><div>To: dovecot@dovecot.org </div><div>Subject: Re: SNI Dovecot </div><div><br></div></div><div>FYI </div><div><br></div><div>dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send SNI. </div><div>As you are using version 2.2.27 you might encounter the same behaviour.</div><div><br></div><div>If the client won't send SNI, my server randomly answers with any cert instead of </div><div>the default cert, --Perhaps dovecot just utilises the last used cert? One speciality </div><div>of my certs is, that both share the same Common Name (CN) but differ in </div><div>Subject Alternative Names (SAN).</div><div><br></div><div>Once your config works, you can check by initialising several connections </div><div>(I tried 30 times) without SNI using openssl. First command is without SNI, </div><div>second is with SNI.</div><div><br></div><div>$ openssl s_client -showcerts -connect IP-address:993<br></div><div>$ openssl s_client -showcerts -connect IP-address:993 -servername server.domain </div><br><div>This is my bugreport on this list.</div><div><a href="https://dovecot.org/pipermail/dovecot/2018-July/112368.html">https://dovecot.org/pipermail/dovecot/2018-July/112368.html</a><br></div><div><br></div><div>Best regards</div><div>Martin Johannes Dauser</div><div><br></div><div><br></div><div>On Wed, 2018-08-29 at 14:41 +0000, Nicolas wrote:<br></div><blockquote type="cite"><div data-html-editor-font-wrapper="true" style="font-family: arial, sans-serif; font-size: 13px;"> <p>Hi all,<br><br>I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains.<br><br>I'm using letsencrypt certificates.<br> </p> <p>On the 10-ssl.conf, when I only use one domain, like this, it works :<br><br>ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem<br>ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem<br>ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem<br><br>I got a warning of course when using my second domain, mydomain2.fr.<br><br>If I do the config :<br><br>local_name mail.mydomain.fr {<br>ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem<br>ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem<br>ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem<br>}<br><br>local_name mail.mydomain2.fr {<br>ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem<br>ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem<br>ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem<br>}<br><br>I got this on dovecot's start :<br><br>dovecot[930]: master: Error: service(imap-login): command startup failed, throttling for 8 secs<br>dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY<br><br>It's working without local_name, so why it can be a certificate issue?<br><br>Any idea?<br><br>I'm using dovecot 2.2.27-3+deb9u2 from debian.<br><br><br><br>Thanks,<br><signature>Nicola</signature></p> </div>
</blockquote></body></html>