David Favor
2018-Feb-25 16:31 UTC
Unexpected config results with local_name + multiple SSL certs
Working with SSL on fresh install of latest Ubuntu Artful + Dovecot
seems broken somehow.
Application is Dovecot listening for many SSL sites...
Likely I've missed adding something simple to the config, related
to local_name usage.
Be great if someone can point out what I've missed, to setup
multiple SSL certs for different host.domain entries in config.
Thanks.
_______
This works as expected... where the SNI server name is returned...
#local_name imap.cydec.com {
ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem
#}
service dovecot restart && echo QUIT | openssl s_client -connect
imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject
subject=/CN=imap.cydec.com
_______
This fails...
local_name imap.cydec.com {
ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem
}
service dovecot restart && echo QUIT | openssl s_client -connect
imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject
# Empty, so no servername match
_______
Full openssl output shows no cert being returned...
service dovecot restart && echo QUIT | openssl s_client -connect
imap.cydec.com:993 -servername imap.cydec.com
CONNECTED(00000004)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 199 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1519576210
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
_______
Config seems correct, with local_name uncommented...
dovecot -n
# 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.16 (fed8554)
# OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10
auth_debug = yes
auth_debug_passwords = yes
auth_verbose = yes
debug_log_path = /var/log/dovecot.log
disable_plaintext_auth = no
info_log_path = /var/log/dovecot.log
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = mbox:~/mail:INBOX=/var/mail/%u
namespace inbox {
inbox = yes
location mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix }
passdb {
args = dovecot
driver = pam
}
protocols = " imap pop3"
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
userdb {
driver = passwd
}
local_name imap.cydec.com {
ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
ssl_key = # hidden, use -P to show it
}
David Favor
2018-Mar-09 21:47 UTC
Unexpected config results with local_name + multiple SSL certs
David Favor wrote:> Working with SSL on fresh install of latest Ubuntu Artful + Dovecot > seems broken somehow. > > Application is Dovecot listening for many SSL sites... > > Likely I've missed adding something simple to the config, related > to local_name usage. > > Be great if someone can point out what I've missed, to setup > multiple SSL certs for different host.domain entries in config. > > Thanks. > _______ > > This works as expected... where the SNI server name is returned... > > #local_name imap.cydec.com { > ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem > ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem > #} > > service dovecot restart && echo QUIT | openssl s_client -connect > imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject > subject=/CN=imap.cydec.com > _______ > > This fails... > > local_name imap.cydec.com { > ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem > ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem > } > > service dovecot restart && echo QUIT | openssl s_client -connect > imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject > # Empty, so no servername match > _______ > > Full openssl output shows no cert being returned... > > service dovecot restart && echo QUIT | openssl s_client -connect > imap.cydec.com:993 -servername imap.cydec.com > CONNECTED(00000004) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 199 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1519576210 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > _______ > > Config seems correct, with local_name uncommented... > > dovecot -n > # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.16 (fed8554) > # OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10 > auth_debug = yes > auth_debug_passwords = yes > auth_verbose = yes > debug_log_path = /var/log/dovecot.log > disable_plaintext_auth = no > info_log_path = /var/log/dovecot.log > log_path = /var/log/dovecot.log > mail_debug = yes > mail_location = mbox:~/mail:INBOX=/var/mail/%u > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > } > passdb { > args = dovecot > driver = pam > } > protocols = " imap pop3" > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > ssl = yes > } > } > service pop3-login { > inet_listener pop3 { > port = 0 > } > inet_listener pop3s { > port = 995 > ssl = yes > } > } > userdb { > driver = passwd > } > local_name imap.cydec.com { > ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem > ssl_key = # hidden, use -P to show it > }Be great if someone has suggestions of how to fix this. Thanks.
@lbutlr
2018-Mar-10 03:58 UTC
Unexpected config results with local_name + multiple SSL certs
On 2018-02-25 (09:31 MST), David Favor <david at davidfavor.com> wrote:> > } > local_name imap.cydec.com { > ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem > ssl_key = # hidden, use -P to show it > }Doesn't this still require a default t(top level) cert besides the one specified for local_name? Also, is there any reason to use local_name if your local name matches your server? the point is to be able to provide a cert for example.org when your domain is example.com, right? -- Don't congratulate yourself too much, or berate yourself either. You choices are half chance; so are everybody else's.
Aki Tuomi
2018-Mar-10 05:37 UTC
Unexpected config results with local_name + multiple SSL certs
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
<br>
</div>
<blockquote type="cite">
<div>
On 10 March 2018 at 05:58 "@lbutlr" <
<a
href="mailto:kremels@kreme.com">kremels@kreme.com</a>>
wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
On 2018-02-25 (09:31 MST), David Favor <
<a
href="mailto:david@davidfavor.com">david@davidfavor.com</a>>
wrote:
</div>
<blockquote type="cite">
<div>
}
</div>
<div>
local_name imap.cydec.com {
</div>
<div>
ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem
</div>
<div>
ssl_key = # hidden, use -P to show it
</div>
<div>
}
</div>
</blockquote>
<div>
Doesn't this still require a default t(top level) cert besides the one
specified for local_name?
</div>
<div>
<br>
</div>
<div>
Also, is there any reason to use local_name if your local name matches your
server? the point is to be able to provide a cert for example.org when your
domain is example.com, right?
</div>
<div>
<br>
</div>
<div>
--
</div>
<div>
Don't congratulate yourself too much, or berate yourself either. You
</div>
<div>
choices are half chance; so are everybody else's.
</div>
<div>
<br>
</div>
</blockquote>
<div>
<br>
</div>
<div>
A default cert is always needed. If you have only one certificate don't
use local_name.
</div>
<div class="io-ox-signature">
---
<br>Aki Tuomi
</div>
</body>
</html>
Reasonably Related Threads
- Unexpected config results with local_name + multiple SSL certs
- Warning: Global setting won't change the setting inside an earlier filter
- SNI Dovecot
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird