dovecot - Dec 2008 - SSL cert problems.

I'm really racking my brain trying to figure this one out here. I am
running a pop3 server for remote offices on CentOS 5.2.  We purchased a
SSL cert from Verisign and installed it on our dovecot server, but I
continue to get failure problems with the cert and I don't know where to
go from here.

here is some info about our config:

dovecot version:  
# dovecot --version
1.0.7

hostname: pop.x10.com

dovecot.conf:
# dovecot -n
# 1.0.7: /etc/dovecot.conf
base_dir: /var/run/dovecot/
log_path: /var/log/dovecot.log
protocols: pop3 pop3s
ssl_ca_file: /etc/pki/verisign/intermediate_ca.cer
ssl_cert_file: /etc/pki/dovecot/certs/pop.x10.com.cer
ssl_key_file: /etc/pki/dovecot/private/pop.x10.com.key
ssl_cipher_list: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
verbose_ssl: yes
login_dir: /var/run/dovecot//login
login_executable: /usr/libexec/dovecot/pop3-login
mail_executable: /usr/libexec/dovecot/pop3
mail_plugin_dir: /usr/lib/dovecot/pop3
pop3_client_workarounds: outlook-no-nuls
auth default:
  passdb:
    driver: pam
  userdb:
    driver: passwd



and last but not least, here is my test from openssl.  Mind you this
fails as a "BAD" ssl cert in Evolution.  

:~$ openssl s_client -ssl2 -connect pop.x10.com:995
CONNECTED(00000003)
depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
(c)05/CN=pop.x10.com
verify error:num=21:unable to verify the first certificate
verify return:1
21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher
list:s2_clnt.c:450:


As you can see, the certificate clearly fails.  I don't know how to make
this work at this point.  Any thoughts or advice would be greatly
appreciated.

-G

Geoff Sweet wrote:
> and last but not least, here is my test from openssl.  Mind you this
> fails as a "BAD" ssl cert in Evolution.  
> 
> :~$ openssl s_client -ssl2 -connect pop.x10.com:995
Try -ssl3 here; you'll see more.
> CONNECTED(00000003)
> depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> (c)05/CN=pop.x10.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> (c)05/CN=pop.x10.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology,
> Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa
> (c)05/CN=pop.x10.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> 21568:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher
> list:s2_clnt.c:450:
> 
> As you can see, the certificate clearly fails.  I don't know how to
make
> this work at this point.  Any thoughts or advice would be greatly
> appreciated.
The cert fails because s_client(1) cannot find the root CA's you've
chosen
to trust.  The same test will fail even with gmail's IMAP and POP3
servers.  See the s_client(1) man page for the CApath and CAfile flags.

-- 
Sahil Tandon <sahil at tandon.net>