<div dir='auto'><div><span style="font-size: 12.8px;">Hi Laura,</span><div dir="auto" style="font-size: 12.8px;"><br></div><div dir="auto" style="font-size: 12.8px;">I dont know if it will work, but I came across similar issue with letsencrypt using recent openssl, and it fails verifying with the same error message and the following has resolved it for me.</div><div dir="auto" style="font-size: 12.8px;"><br></div><div dir="auto" style="font-size: 12.8px;">Try to run the following command against the client certificate full chain and cert file:-</div><div dir="auto" style="font-size: 12.8px;"><br></div><div dir="auto" style="font-size: 12.8px;"><span style="color:rgb( 34 , 34 , 34 );font-family:monospace , monospace;font-size:15.008px;white-space:pre;background-color:rgb( 249 , 249 , 249 )">openssl verify -CAfile fullchain1.pem cert1.pem</span></div><div dir="auto" style="font-size: 12.8px;"><br></div><div dir="auto" style="font-size: 12.8px;">if it did throw the same error then try verifying using the following updated full chain with valid lets encrypt intermediary and root certificate, if it will work.</div><div dir="auto" style="font-size: 12.8px;"><pre style="white-space:pre-wrap;font-family:monospace , monospace;font-size:15.008px;color:rgb( 34 , 34 , 34 );background-color:rgb( 255 , 255 , 255 )"><code style="font-family:monospace , monospace;font-size:1em;display:block;padding:0.5em;max-height:500px">wget -O isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem && wget -O isrg-root-x1-cross-signed.pem https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem && wget -O lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem && wget -O lets-encrypt-r3-cross-signed.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem && cat isrgrootx1.pem isrg-root-x1-cross-signed.pem lets-encrypt-r3.pem lets-encrypt-r3-cross-signed.pem > combined_chain1.pem && dos2unix combined_chain1.pem && rm -f lets-encrypt-r3*.* && rm -f isrg*.*</code></pre><br></div><div dir="auto" style="font-size: 12.8px;">If didnt then try to use updated ca bundle directly from OS using following commands and reference it in verify certificates list</div><div dir="auto" style="font-size: 12.8px;"><pre style="white-space:pre-wrap;margin-top:0px;margin-bottom:0px;padding:12px;border:0px;line-height:1.30769;font-size:13px;vertical-align:baseline;max-height:600px;width:auto;border-radius:5px"><code style="margin:0px;padding:0px;border:0px;font-style:inherit;font-variant:inherit;font-weight:inherit;line-height:inherit;vertical-align:baseline;max-height:300px;border-radius:0px"><pre style="white-space:pre-wrap;border:1pt solid rgb( 174 , 189 , 204 );background-color:rgb( 243 , 245 , 247 );padding:5pt;font-family:'courier' , monospace;font-size:16px">ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem<br>
ssl_verify_client_cert = yes</pre></code></pre></div><div dir="auto" style="font-size: 12.8px;">On how to update, it depends on your OS, and the following works with me</div><div dir="auto" style="font-size: 12.8px;"><br></div><div dir="auto" style="font-size: 12.8px;">yum install ca-certificates</div><div dir="auto" style="font-size: 12.8px;">update-ca-trust<br></div><div dir="auto" style="font-size: 12.8px;"><br></div><div dir="auto" style="font-size: 12.8px;">Refer to https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/<br></div><div dir="auto" style="font-size: 12.8px;"><br></div><div dir="auto" style="font-size: 12.8px;">Give it a try and if you found another solution please let me know, and good luck.</div><div dir="auto" style="font-size: 12.8px;"><br></div><div dir="auto" style="font-size: 12.8px;">Zakaria</div><div class="gmail_extra"><br><div class="gmail_quote">On 24 Jan 2022 20:25, Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">I'm having a frustrating problem trying to use "doveadm sync" to pull mails off a server for migration purposes.
<br>
<br>
# 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf
<br>
# Pigeonhole version 0.5.17.1 (a1a0b892)
<br>
# OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2
<br>
<br>
I have tried both explicit "ssl_client_ca_dir = /etc/ssl/certs" and commenting it out (i.e. relying on OpenSSL default per the docs)
<br>
<br>
I always get the same:
<br>
Info: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 (check ssl_client_ca_* se
<br>
ttings?)
<br>
Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Sec
<br>
urity Research Group/CN=ISRG Root X1 (check ssl_client_ca_* settings?) - disconnecting
<br>
<br>
openssl s_client -starttls imap -servername $name -connect $name:143 is happy though:
<br>
<br>
---
<br>
Certificate chain
<br>
0 s:CN = <REDACTED>
<br>
i:C = US, O = Let's Encrypt, CN = R3
<br>
1 s:C = US, O = Let's Encrypt, CN = R3
<br>
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
<br>
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
<br>
i:O = Digital Signature Trust Co., CN = DST Root CA X3
<br>
---
<br>
---
<br>
No client certificate CA names sent
<br>
Peer signing digest: SHA256
<br>
Peer signature type: RSA-PSS
<br>
Server Temp Key: X25519, 253 bits
<br>
---
<br>
SSL handshake has read 4954 bytes and written 412 bytes
<br>
Verification: OK
<br>
---
<br>
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
<br>
Server public key is 2048 bit
<br>
Secure Renegotiation IS NOT supported
<br>
Compression: NONE
<br>
Expansion: NONE
<br>
No ALPN negotiated
<br>
Early data was not sent
<br>
Verify return code: 0 (ok)
<br>
---
<br>
<br>
<br>
<br>
</p>
</blockquote></div><br></div></div></div>