M. Fioretti
2006-Jun-13 19:11 UTC
[Dovecot] Server CommonName mismatch: localhost.localdomain
Hello, I have seen via google that this very problem was already discussed on this and other lists some months ago, but the archives report no solution. I have dovecot 1.0-0_12.beta8 on Centos 4.3. IMAP works just fine: I can read email from both Squirrelmail via web and Kmail. Now I have created an ssl certificate and I'm trying to use it via pop3. When I launch fetchmail I get the error below. Is it caused by dovecot? If not, where is the problem, on the server or here in my home PC? TIA, Marco marco@polaris:~> fetchmail -vv fetchmail: 6.3.2 querying my.vps.fqdn.name (protocol POP3) at Tue 13 Jun 2006 05:22:50 PM CEST: +poll started fetchmail: Issuer Organization: SomeOrganization fetchmail: Issuer CommonName: localhost.localdomain fetchmail: Server CommonName: localhost.localdomain fetchmail: Server CommonName mismatch: localhost.localdomain != my.vps.fqdn.name fetchmail: my.vps.fqdn.name key fingerprint: 20:93:B4:D8:CB:75:AD:72:F6:00:A8:DC:CE:F2:53:6E fetchmail: my.vps.fqdn.name fingerprints do not match! 23942:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify +failed:s3_clnt.c:894: fetchmail: SSL connection failed. fetchmail: socket error while fetching from remoteuser@my.vps.fqdn.name -- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/ Only boring people ever get bored Anonymous
M. Fioretti
2006-Jun-13 21:51 UTC
[Dovecot] Solution (with new problem) of: Server CommonName mismatch: localhost.localdomain
On Tue, Jun 13, 2006 18:15:03 PM +0200, io (mfioretti@mclink.it) wrote:> Hello, > > I have seen via google that this very problem was already discussed > on this and other lists some months ago, but the archives report no > solution.Summary: one tries to talk with Dovecot via ssl and gets:> fetchmail: Issuer CommonName: localhost.localdomain > fetchmail: Server CommonName: localhost.localdomain > fetchmail: Server CommonName mismatch: localhost.localdomain != my.vps.fqdn.nameSolution: this is what happens when one forgets to point to the right ssl files in dovecot.conf and leaves the default (example-only) values: ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem ssl_key_file = /etc/pki/dovecot/private/dovecot.pem However, now I have another problem, and cannot figure out if it's dovecot related, some general ssl bug or an error (but which one) from me: I have a remote server running centos 4.3 and a home desktop running suse 10.1. I have generated an SSL certificate on the server, copied it on the desktop and run on the desktop:>openssl x509 -in mynewcertCert.pem -fingerprint -subject -issuer -serial -hash -noout >c_rehash .getting this warning:> > Doing . > WARNING: mynewcertPrivateKey.pem does not contain a certificate or CRL: skipping > mynewcertCert.pem => 2764d17c.0Now I have noted two things: 1) the fingerprint generated from the openssl command above is different when I run it on centos or on suse 10.1. Why? 2) if I run fetchmail here with these options: I get: fetchmail: 6.3.2 querying my.remote.server (protocol POP3) at Tue 13 Jun 2006 07:22:34 PM CEST: poll started fetchmail: Issuer Organization: My organization fetchmail: Issuer CommonName: my.remote.server fetchmail: Server CommonName: my.remote.server fetchmail: my.remote.server key fingerprint: the one obtained running openssl on the server fetchmail: my.remote.server fingerprints match. fetchmail: Server certificate verification error: unable to get local issuer certificate 26227:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894: fetchmail: SSL connection failed. fetchmail: socket error while fetching from m-mail@fm.vm.bytemark.co.uk What is the "local issuer" problem? What am I missing? Is it a consequence of problem 1) ? What is happening, and what must I do to use this certificate? Is it a dovecot only problem? TIA, Marco -- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/ I don't even have an email address. I have reached an age where my main purpose is not to receive messages. U. Eco, quoted in the New Yorker -- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/ Be the change you want to see in the world - Gandhi