On 2022-11-09 16:59, Alexander Dalloz wrote:> Am 09.11.2022 um 15:58 schrieb Ruben Safir: >> Hello >> >> I am getting this error and I have no idea why. openssh is upto date > > You have a self-signed certificate in place. The connecting client > cannot valide whether to trust to answering server. > > AlexanderTry to run the following against the client certificate full chain and cert file:- ope nssl verify -CAfile fullchain.pem cert.pem if it did throw an error then try verifying with an updated CA certificates bundle directly from OS using the following which works with me in RHEL7:- y um reinstall ca-certificatesupdate-ca-trust Or if already installed. update-ca-trust. Given you are using a self signed certificate, I guess, you will have to append manually the CA certificate, which you've used to sign the self signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. Also, you will have to reference the CA file in dovecot using the following:- ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ssl_verify_client_cert = yes Good luck. Zakaria.
Am 09.11.2022 um 18:30 schrieb hi at zakaria.website:> On 2022-11-09 16:59, Alexander Dalloz wrote: >> Am 09.11.2022 um 15:58 schrieb Ruben Safir: >>> Hello >>> >>> I am getting this error and I have no idea why.? openssh is upto date >> >> You have a self-signed certificate in place. The connecting client >> cannot valide whether to trust to answering server. >> >> Alexander > > Try to run the following against the client certificate full chain and > cert file:- > > ?ope nssl verify -CAfile fullchain.pem cert.pem > > if it did throw an error then try verifying with an updated CA > certificates bundle directly from OS using the following which? works > with me in RHEL7:- > > y um reinstall ca-certificatesupdate-ca-trust > > Or if already installed. > > update-ca-trust. > > Given you are using a self signed certificate, I guess, you will have to > append manually the CA certificate, which you've used to sign the self > signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. > Also, you will have to reference the CA file in dovecot using the > following:- > > ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > ssl_verify_client_cert = yes > > Good luck. > > Zakaria.That's pointless as the certificate hasn't been issued by Let's Encrypt. Alexander