Jason Pyeron wrote:>> I'm getting endless complaints about my dovecot cert, > > Exact message please?The certificate does not apply to the given host The certificate is not signed by any trusted certificate authority>> Do I really have to use a separate cert and key for dovecot? >> Can I not use the "standard" cert in /etc/pki/tls/certs (and key) >> from CACert.org ? > > Post the certificate only, not the private key.I've looked at the cert and key and they look ok for what they are, a self-signed certificate and key, as created (years ago) following the instructions in the dovecot installation instructions. I'm really just asking if I cannot just use what I take to be the standard openssl certificate and key in /etc/pki/tls/ Do I really have to create up a special cert for dovecot? -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin
Timothy Murphy wrote:> Jason Pyeron wrote: > >>> I'm getting endless complaints about my dovecot cert, >> >> Exact message please? > > The certificate does not apply to the given hostThis one indicates, I believe, that when you created the certs, you didn't use the hostname of the system that you're running now, or maybe that it wants either the FQDN, or the shortname, and it's finding the opposite.> The certificate is not signed by any trusted certificate authority<snip> This one will always be there, since you're not a root c/a. mark
On 03/03/2015 08:12 AM, Timothy Murphy wrote:> Jason Pyeron wrote: > >>> I'm getting endless complaints about my dovecot cert, >> Exact message please? > The certificate does not apply to the given host > The certificate is not signed by any trusted certificate authority > >>> Do I really have to use a separate cert and key for dovecot? >>> Can I not use the "standard" cert in /etc/pki/tls/certs (and key) >>> from CACert.org ? >> Post the certificate only, not the private key. > I've looked at the cert and key and they look ok for what they are, > a self-signed certificate and key, as created (years ago) > following the instructions in the dovecot installation instructions. > > I'm really just asking if I cannot just use what I take to be > the standard openssl certificate and key in /etc/pki/tls/ > Do I really have to create up a special cert for dovecot? >There's not really a "standard" SSL certificate. Perhaps you're referring to a "default" certificate used by the webserver? What I typically do is get a real, but free, SSL certificate from some place like StartSSL (www.startssl.com), and then copy the key and certificate to the location that's specified for use by dovecot. That way, both httpd and dovecot are using the same certificate (although it's stored in 2 different locations). The other thing to consider with dovecot (if you go with a third-party certificate) is that you may need to append the intermediate certificate to your server-specific certificate to properly establish the chain of trust for clients attempting to verify it. -Greg
> -----Original Message----- > From: Timothy Murphy > Sent: Tuesday, March 03, 2015 10:13 > > Jason Pyeron wrote: > > >> I'm getting endless complaints about my dovecot cert, > > > > Exact message please? > > The certificate does not apply to the given hostSo lets deal with this first. What is the hostname? What is the subject of the certificate [hint, I asked for the cert to be posted last time]?> The certificate is not signed by any trusted certificate authorityWe will address this after we get more data on the problem.> > >> Do I really have to use a separate cert and key for dovecot? > >> Can I not use the "standard" cert in /etc/pki/tls/certs (and key) > >> from CACert.org ? > > > > Post the certificate only, not the private key.Like this: openssl x509 < /etc/pki/dovecot/certs/dovecot.pem> > I've looked at the cert and key and they look ok for what they are, > a self-signed certificate and key, as created (years ago) > following the instructions in the dovecot installation instructions. > > I'm really just asking if I cannot just use what I take to be > the standard openssl certificate and key in /etc/pki/tls/ > Do I really have to create up a special cert for dovecot?It depends on what you mean by special and was it done properly the first time. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Jason Pyeron wrote:>> I'm really just asking if I cannot just use what I take to be >> the standard openssl certificate and key in /etc/pki/tls/ >> Do I really have to create up a special cert for dovecot? > > It depends on what you mean by special and was it done properly the first > time.The cert and key in /etc/pki/tls seem to work perfectly well. My impression is that this is the standard place for CentOS and Fedora certs. IIRC, installation guides for both suggest this for certs and keys. Most Fedora applications that require authentication also seem to refer to this folder. My question is simply: Does one require a separate cert for dovecot? -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin
Greg Bailey wrote:>> I'm really just asking if I cannot just use what I take to be >> the standard openssl certificate and key in /etc/pki/tls/ >> Do I really have to create up a special cert for dovecot?> There's not really a "standard" SSL certificate. Perhaps you're > referring to a "default" certificate used by the webserver?No. I should have said "standard locate". I think both Fedora and CentOS create the folders /etc/pki/tls/{certs,private}, so I assume this means that certs and keys should be store there.> What I typically do is get a real, but free, SSL certificate from some > place like StartSSL (www.startssl.com), and then copy the key and > certificate to the location that's specified for use by dovecot.My question exactly - is there any reason why one should not do that? Or even more simply, give the locations /etc/pki/tls/{certs,private} in /etc/dovecot/conf.d/10-ssl.conf ? -- Timothy Murphy gayleard /at/ eircom.net School of Mathematics, Trinity College, Dublin