Hello, I've a not really dovecot specific problem with my certificate. Since the OpenSSL documentation isn't what I expect to be at least good, I hope someone here can give me a hint how/where fo fix it; I've created a root-Certificate with almost untouched openssl.cnf and issued a server-certificate for dovecot. This cert and it's key I placed in somewhat like /var/dovecot. To state explicitly, away from it's superior root-cert. So, a: openssl s_client -connect server.tektoform.lan:993 -showcerts ends up in: unable to get local issuer certificate. Althougt connections from clients are working, I prefer to set it up cleanly. Does openssl-clientlib looks up for openssl.cnf, where the place of root-CA-cert is denoted, or do I have to put all cert together in a single directory, or, or, or ...? Or to be more verbose for "openssl s_client": CONNECTED(00000003) depth=0 /C=DE/ST=Hamburg/L=Hamburg/O=d-dt/OU=lan/CN=server.tektoform.lan/emailAddress=hostmaster at tektoform.lan verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DE/ST=Hamburg/L=Hamburg/O=d-dt/OU=lan/CN=server.tektoform.lan/emailAddress=hostmaster at tektoform.lan verify error:num=27:certificate not trusted verify return:1 depth=0 /C=DE/ST=Hamburg/L=Hamburg/O=d-dt/OU=lan/CN=server.tektoform.lan/emailAddress=hostmaster at tektoform.lan verify error:num=21:unable to verify the first certificate verify return:1 --- Thanks for your comments. A --
Adam Pordzik wrote:> Hello, > > I've a not really dovecot specific problem with my certificate. Since > the OpenSSL documentation isn't what I expect to be at least good, I > hope someone here can give me a hint how/where fo fix it; I've created a > root-Certificate with almost untouched openssl.cnf and issued a > server-certificate for dovecot. This cert and it's key I placed in > somewhat like /var/dovecot. To state explicitly, away from it's superior > root-cert. > > So, a: > > openssl s_client -connect server.tektoform.lan:993 -showcerts > > ends up in: > > unable to get local issuer certificate. > > Althougt connections from clients are working, I prefer to set it up > cleanly. Does openssl-clientlib looks up for openssl.cnf, where the > place of root-CA-cert is denoted, or do I have to put all cert together > in a single directory, or, or, or ...? >If you have clients using OpenSSL, libssl will look for root certificates by looking for a file named <hash>.0 in the certs directory (/etc/ssl/certs on Debian), where <hash> is the string you get if you pass the certificate to "openssl x509 -hash" (see x509(1ssl)). Typically, you create a symlink by that name to the more readably-named certificate file. I hope that helps! -- Magnus Holmgren Link?ping, Sweden