<div dir="ltr"><div>I changed some of the tls options following the document, now config is following:</div><div><br></div><div><br></div><div>tokeninfo_url = <a href="https://keycloak.com/auth/realms/mail/protocol/openid-connect/token">https://keycloak.com/auth/realms/mail/protocol/openid-connect/token</a><br>introspection_url = <a href="https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect">https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect</a><br>introspection_mode = post<br>debug = yes<br>rawlog_dir = /tmp/oauth2<br>#force_introspection = yes<br>username_attribute = username<br>#active_attribute = active<br>#active_value = true<br>tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt<br>tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem<br>tls_key_file = /etc/pki/dovecot/private/dovecot.pem<br></div><div>---------------</div><div><br></div><div>The debug log is showing now slightly different msg ex:</div><div>Dec  5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate.</div><div><br></div><div>Still not able to connect to the keyclaok server.  :(<br></div><div><br></div><div>PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured.</div><div><br></div><div>Thanks!</div><div>Mizuki<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi <<a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Before declaring it not ready for prime time, did you try setting<br>
<br>
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt<br>
<br>
In the oauth2 configuration file as documented in <a href="https://doc.dovecot.org/configuration_manual/authentication/oauth2" rel="noreferrer" target="_blank">https://doc.dovecot.org/configuration_manual/authentication/oauth2</a> ?<br>
<br>
Aki<br>
<br>
> On 05/12/2019 21:58 mizuki via dovecot <<a href="mailto:dovecot@dovecot.org" target="_blank">dovecot@dovecot.org</a>> wrote:<br>
> <br>
> <br>
> Hi all,<br>
> <br>
> We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish the connections.<br>
> <br>
> Debug logs:<br>
> ----------------------------------------------------<br>
> Dec 5 14:32:07 mktst4 dovecot: auth: Debug: auth client connected (pid=16554)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: client in: AUTH#0111#011OAUTHBEARER#011service=imap#011secured#011session=QPwA/fmY+tqCx5Tr#011lip=130.199.148.187#011rip=10.0.2.1#011lport=993#011rport=56058#011resp=bixhPW1penVraQFob3N0PW1rdHN0NC5zZGNjLmJubC5nb3YBcG9ydD05OTMBYXV0aD1CZWFyZXIgZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJZ09pQWlTbGRVSWl3aWEybGtJaUE2SUNKcmRHeE5TSFZtYkc1NFZUUmlSR1pLTm5kSGRteFBNVVYxWWxWd2FreEZVVmhIY25GTU5UYzNhSEJSSW4wLmV5SnFkR2tpT2lJNE5XSmxZV05tTkMxak1tTmxMVFJtTkRJdFltUTRNUzAxTnpWaU4yRmpZV05sT1RnaUxDSmxlSEFpT2pFMU56VTJNVEF5TURnc0ltNWlaaUk2TUN3aWFXRjBJam94TlRjMU5UYzBNakE0TENKcGMzTWlPaUpvZEhSd2N6b3ZMMnRsZVdOc2IyRnJNaTV6WkdOakxtSnViQzVuYjNZdllYVjBhQzl5WldGc2JYTXZiV0ZwYkNJc0ltRjFaQ0k2SW1GalkyOTFiblFpTENKemRXSWlPaUkyTmpWa05EVTNNeTA0WVdFMUxUUmtPRFl0WW1NelppMHlaVEpqTWpOaU16WTJORFVpTENKMGVYQWlPaUpDWldGeVpYSWlMQ0poZW5BaU9pSmtiM1psWTI5MElpd2lZWFYwYUY5MGFXMWxJam93TENKelpYTnphVzl1WDNOMFlYUmxJam9pT1RNNE5XRTVOakF0TUROa1pDMDBPR05sTFdFeU4yUXRZVFkzWkdZME5tUXhaRGcxSWl3aVlXTnlJam9pTVNJc0luSmxZV3h0WDJGalkyVnpjeUk2ZXlKeWIyeGxjeUk2V3lKdlptWnNhVzVsWDJGalkyVnpjeUlzSW5WdFlWOWhkWFJvYjNKcGVtRjBhVzl1SWwxOUxDSnlaWE52ZFhKalpWOWhZMk5sYzNNaU9uc2lZV05qYjNWdWRDSTZleUp5YjJ4bGN5STZXeUp0WVc1aFoyVXRZV05qYjNWdWRDSXNJbTFoYm1GblpTMWhZMk52ZFc1MExXeHBibXR6SWl3aWRtbGxkeTF3Y205bWFXeGxJbDE5ZlN3aWMyTnZjR1VpT2lKd2NtOW1hV3hsSUdWdFlXbHNJaXdpWlcxaGFXeGZkbVZ5YVdacFpXUWlPbVpoYkhObExDSnVZVzFsSWpvaVRXbDZkV3RwSUV0aGNtRnpZWGRoSWl3aWNISmxabVZ5Y21Wa1gzVnpaWEp1WVcxbElqb2liV2w2ZFd0cElpd2laMmwyWlc1ZmJtRnRaU0k2SWsxcGVuVnJhU0lzSW1aaGJXbHNlVjl1WVcxbElqb2lTMkZ5WVhOaGQyRWlMQ0psYldGcGJDSTZJbTFwZW5WcmFVQmlibXd1WjI5MkluMC5NZTRwNkl0dmx2T0VYRTIxM2pwSnJpa3FhZGNZb0ZsMnlMVlJzQTJvQTdmWDgteEtJYTR2ckZmamwwLXRwb2JodzIyRnBvVDZ2TWoxbXphLXBWWUxzNW1vM0w5Y0xKT2hVVnV2Tm9YSm5nZlRzLXk2TWxuTXVGV1NQemtidEhhOXJTUEVqZGFZQXBDQk52MG9CWEs2bmhIM0U5ZkNvTl9TQlUycWxaSWk2M1dWOUZXSjFrbHVGT2Iwc0xja2JfWGNGZzhUZ0dXOEdVUlRYTlg4bW1VM1dNLWJ5dnJuTkFyNmFjWW1ibXRaVzRhV0NwTk5FSHRZU29LSmgydHZuQjhHNnl5eWptWWJ5Q2ZhTmwwSnVZYU52VFEzTXhCX2FnLV9Pcy04VkwtTGFLdHBGYXBMNEVNWUJaXzFnZmNhSFdUSUV1VS0wSVdjTjlEa2xxcW1MN19jNlEBAQ== (previous base64 data may contain sensitive data)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: host <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> (<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>): Host created<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: host <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> (<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>): Performing asynchronous DNS lookup<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: request [Req1: GET <a href="https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q" rel="noreferrer" target="_blank">https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q</a>]: Submitted<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: host <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> (<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>): DNS lookup successful; got 1 IPs<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>): Peer created<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue <a href="https://example.com" rel="noreferrer" target="_blank">https://example.com</a>"443: Setting up connection to <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) (SSL=<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> (<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>)) (1 requests pending)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>): Linked queue <a href="https://example.com:443" rel="noreferrer" target="_blank">https://example.com:443</a> (1 queues linked)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue <a href="https://example.com:443" rel="noreferrer" target="_blank">https://example.com:443</a>: Started new connection to <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) (SSL=<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> (<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>))<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>): Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>): Making new connection 1 of 1<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) [0]: HTTPS connection created (1 parallel connections exist)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) [0]: Connected<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) [0]: Starting SSL handshake<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Received invalid SSL certificate: unable to get issuer certificate: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>): Failed to make connection (connections=1, connecting=1)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue <a href="https://example.com:443" rel="noreferrer" target="_blank">https://example.com:443</a>: Failed to set up connection to <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) (SSL=<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> (<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>)): SSL handshaking with <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) failed: read(SSL <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>)) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority (1 peers pending, 1 requests pending)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue <a href="https://example.com:443" rel="noreferrer" target="_blank">https://example.com:443</a>: Failed to set up any connection; failing all queued requests<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>): Unlinked queue <a href="https://example.com:443" rel="noreferrer" target="_blank">https://example.com:443</a> (0 queues linked)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue <a href="https://example.com:443" rel="noreferrer" target="_blank">https://example.com:443</a>: Dropping request [Req1: GET <a href="https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q" rel="noreferrer" target="_blank">https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q</a>]<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: host <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> (<a href="http://example.com" rel="noreferrer" target="_blank">http://example.com</a>): Host is idle (timeout = 1799992 msecs)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<QPwA/fmY+tqCx5Tr>): oauth2 failed: SSL handshaking with <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) failed: read(SSL <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>)) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: request [Req1: GET <a href="https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q" rel="noreferrer" target="_blank">https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q</a>]: Destroy (requests left=1)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: request [Req1: GET <a href="https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q" rel="noreferrer" target="_blank">https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q</a>]: Free (requests left=0)<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) [0]: SSL handshaking with <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) failed: read(SSL <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>)) failed: Received invalid SSL certificate: unable to get issuer certificate: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) [0]: Connection close<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) [0]: Connection disconnect<br>
> Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn <a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">10.0.2.2:443</a> (<a href="http://10.0.2.2:443" rel="noreferrer" target="_blank">http://10.0.2.2:443</a>) [0]: Connection destroy<br>
> ----------------------------------------------------<br>
> <br>
> #dovecot -n<br>
> ----------------------------------------------------<br>
> # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf<br>
> # OS: Linux 3.10.0-1062.4.3.el7.x86_64 x86_64 Red Hat Enterprise Linux Server release 7.7 (Maipo)<br>
> # Hostname: <a href="http://mktst4.sdcc.bnl.gov" rel="noreferrer" target="_blank">mktst4.sdcc.bnl.gov</a> (<a href="http://mktst4.sdcc.bnl.gov" rel="noreferrer" target="_blank">http://mktst4.sdcc.bnl.gov</a>)<br>
> auth_debug = yes<br>
> auth_debug_passwords = yes<br>
> auth_mechanisms = oauthbearer xoauth2<br>
> auth_verbose = yes<br>
> auth_verbose_passwords = yes<br>
> first_valid_uid = 1000<br>
> mail_debug = yes<br>
> mail_location = maildir:~/Maildir<br>
> mbox_write_locks = fcntl<br>
> namespace inbox {<br>
>  inbox = yes<br>
>  location =<br>
>  mailbox Drafts {<br>
>  special_use = \Drafts<br>
>  }<br>
>  mailbox Junk {<br>
>  special_use = \Junk<br>
>  }<br>
>  mailbox Sent {<br>
>  special_use = \Sent<br>
>  }<br>
>  mailbox "Sent Messages" {<br>
>  special_use = \Sent<br>
>  }<br>
>  mailbox Trash {<br>
>  special_use = \Trash<br>
>  }<br>
>  prefix =<br>
> }<br>
> passdb {<br>
>  args = /etc/dovecot/dovecot-oauth2.conf.ext<br>
>  driver = oauth2<br>
>  mechanisms = oauthbearer xoauth2<br>
> }<br>
> protocols = imap<br>
> service auth {<br>
>  unix_listener /var/spool/postfix/private/auth {<br>
>  group = postfix<br>
>  mode = 0666<br>
>  user = postfix<br>
>  }<br>
> }<br>
> ssl = required<br>
> ssl_ca = </etc/pki/CA/certs/2.pem<br>
> ssl_cert = </etc/pki/dovecot/certs/dovecot.pem<br>
> ssl_cipher_list = ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS:!RSA<br>
> ssl_client_ca_file = </etc/pki/CA/certs/2.pem<br>
> ssl_key = # hidden, use -P to show it<br>
> ssl_prefer_server_ciphers = yes<br>
> ssl_require_crl = no<br>
> userdb {<br>
>  args = uid=vmail gid=vmail home=/var/vmail/%u<br>
>  driver = static<br>
> }<br>
> ----------------------------------------------------<br>
> <br>
> # cat /etc/dovecot/conf.d/auth-oauth2.conf.ext<br>
> ----------------------------------------------------<br>
> passdb {<br>
>  driver = oauth2<br>
>  mechanisms = oauthbearer xoauth2<br>
>  args = /etc/dovecot/dovecot-oauth2.conf.ext<br>
> }<br>
> <br>
> userdb {<br>
>  driver = static<br>
>  args = uid=vmail gid=vmail home=/var/vmail/%u<br>
> }<br>
> ----------------------------------------------------<br>
> <br>
> I wonder if anyone has experienced this possibly know what's going on.<br>
> Thanks!<br>
> Mizuki<br>
</blockquote></div>