<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
Is the key/cert pair readable by dovecot user? auth process does not run as root.
</div>
<div>
<br>
</div>
<div>
You can add
</div>
<div>
<br>
</div>
<div>
service auth {
</div>
<div>
extra_groups = ssl_cert
</div>
<div>
}
</div>
<div>
<br>
</div>
<div>
and chgrp the cert to ssl_cert to allow access to the cert.
</div>
<div>
<br>
</div>
<div>
Aki
</div>
<blockquote type="cite">
<div>
On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div dir="ltr">
<div>
I changed some of the tls options following the document, now config is following:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
tokeninfo_url =
<a href="https://keycloak.com/auth/realms/mail/protocol/openid-connect/token">https://keycloak.com/auth/realms/mail/protocol/openid-connect/token</a>
<br>introspection_url =
<a href="https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect">https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect</a>
<br>introspection_mode = post
<br>debug = yes
<br>rawlog_dir = /tmp/oauth2
<br>#force_introspection = yes
<br>username_attribute = username
<br>#active_attribute = active
<br>#active_value = true
<br>tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt
<br>tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
<br>tls_key_file = /etc/pki/dovecot/private/dovecot.pem
<br>
</div>
<div>
---------------
</div>
<div>
<br>
</div>
<div>
The debug log is showing now slightly different msg ex:
</div>
<div>
Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate.
</div>
<div>
<br>
</div>
<div>
Still not able to connect to the keyclaok server. :(
<br>
</div>
<div>
<br>
</div>
<div>
PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured.
</div>
<div>
<br>
</div>
<div>
Thanks!
</div>
<div>
Mizuki
<br>
</div>
<div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div class="gmail_attr" dir="ltr">
On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi <
<a href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a>> wrote:
<br>
</div>
<blockquote>
Before declaring it not ready for prime time, did you try setting
<br>
<br>tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
<br>
<br>In the oauth2 configuration file as documented in
<a target="_blank" href="https://doc.dovecot.org/configuration_manual/authentication/oauth2" rel="noopener">https://doc.dovecot.org/configuration_manual/authentication/oauth2</a> ?
<br>
<br>Aki
<br>
<br>> On 05/12/2019 21:58 mizuki via dovecot <
<a target="_blank" href="mailto:dovecot@dovecot.org" rel="noopener">dovecot@dovecot.org</a>> wrote:
<br>>
<br>>
<br>> Hi all,
<br>>
<br>> We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish the connections.
<br>>
<br>
</blockquote>
</div>
</blockquote>
</body>
</html>