Dovecot v2.2.18 OS: FreeBSD 10.1/amd64 Dovecot in proxy mode ignores the root certificate store and can't verify the backend's SSL certificate. I've pointed ssl_client_ca_file to my root certificate store, but I suspect ssl_client_ca_file is only used in imapc context. It seems to be ignored in proxy context. doveconf -n ssl_client_ca_file: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt In my password_query I return host set to the backend's IP address, starttls='yes', proxy='y'. The backend's certificate chain is correct and it verifies successfully with "openssl s_client -connect x.x.x.x:110 -starttls pop3 -CAfile /usr/local/share/certs/ca-root-nss.crt". But the Dovecot proxy fails to verify the intermediate certificate it receives from the backend. The inode atime of ca-root-nss.crt is never updated, either at Dovecot start or when it connects to the backend, so Dovecot (via the openssl library) never reads the file. Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: unable to get local issuer certificate: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4 Sep 20 19:59:48 dovecot: pop3-login: Invalid certificate: certificate not trusted: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4 Sep 20 19:59:48 dovecot: pop3-login: Error: proxy: Received invalid SSL certificate from x.x.x.x:110: unable to get local issuer certificate: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4: user=<xxx>, method=PLAIN, rip=x.x.x.x, lip=x.x.x.x, session=<lz9YjzYgIADYyWAp>
On Monday 21 September 2015 01:53:53 Alex Bulan wrote:> Dovecot v2.2.18 > OS: FreeBSD 10.1/amd64 > > Dovecot in proxy mode ignores the root certificate store and can't verify > the backend's SSL certificate. > > I've pointed ssl_client_ca_file to my root certificate store, but I > suspect ssl_client_ca_file is only used in imapc context. It seems to be > ignored in proxy context. > > doveconf -n ssl_client_ca_file: > ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crtI think the correct syntax is : ssl_ca = < /etc/ssl/certs/cacert.pem For all kind of ssl_xyz files Mihai Badici[1] -------- [1] http://mihai.badici.ro
Christian Kivalo
2015-Sep-21 07:09 UTC
Dovecot proxy ignores trusted root certificate store
Hi> I've pointed ssl_client_ca_file to my root certificate store, but I > suspect ssl_client_ca_file is only used in imapc context. It seems to > be ignored in proxy context. > > doveconf -n ssl_client_ca_file: > ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crtYou are missing the "<" before the file path Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt See http://wiki2.dovecot.org/SSL/DovecotConfiguration Regards Christian
The result is the same with or without "<" before the file path. With "<" the inode atime is updated at Dovecot startup, so the file is at least opened, but Dovecot still can't verify the cert. The only place in the Wiki that shows an example of ssl_client_ca_file is on this page, and there's no "<" in front of the file path: http://wiki2.dovecot.org/Replication (quote) The client must be able to verify that the SSL certificate is valid, so you need to specify the directory containing valid SSL CA roots: ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat (end quote) On Mon, 21 Sep 2015, Christian Kivalo wrote:> Hi > >> I've pointed ssl_client_ca_file to my root certificate store, but I >> suspect ssl_client_ca_file is only used in imapc context. It seems to >> be ignored in proxy context. >> >> doveconf -n ssl_client_ca_file: >> ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt > > You are missing the "<" before the file path > > Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt > > See http://wiki2.dovecot.org/SSL/DovecotConfiguration > > Regards > Christian >
Maybe Matching Threads
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- Dovecot proxy ignores trusted root certificate store
- dovecot as proxy and verification of the backends certificate