Hello, I'm using dovecot 2.2.13 on Debian stable. My users are authenticated through PAM, and stored in an LDAP backend I'm trying to set-up replication with ssl, following (mainly) this : http://wiki2.dovecot.org/Replication 1) I only diverted from the instructed setup by not setting "doveadm_port = 12345", as it would give me errors of the like:> Fatal: /var/run/dovecot/auth-userdb: Configured passdbs don't support crentials lookups (to see if user is proxied, because doveadm_port is set)but rather specifying the port in the mail_replica setting : "mail_replica = tcps:my.domain.com:1465" (following a mail from here : http://www.dovecot.org/list/dovecot/2016-September/105356.html) So far, this seems to be working for me. 2) However, I'm having ssl problems. I have a let's encrypt certificate, and have concatened the CA cert and my server cert in a fullchain.pem. Excerpt from my ssl config :> ssl = yes > ssl_cert = </etc/letsencrypt/live/my.domain.com/fullchain.pem > ssl_key = </etc/letsencrypt/live/my.domain.comi/privkey.pemdoveadm return me these errors (sudo -u dovecot doveadm -v sync -u user tcps:my.domain.com:12345) :> doveadm(casoli): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com > doveadm(casoli): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com > doveadm(casoli): Fatal: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.comWhich I can reproduce with openssl (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:12345) :> (...) > Verify return code: 21 (unable to verify the first certificate)Indeed, in this case, dovecot only returns the local part of the certificate (my.domain.com), and not the full chain (with the intermediate CA). While testing regular IMAPS with openssl is ok (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:993)> (...) > Verify return code: 0 (ok)And I can see the full chain. So, it's seems to me that doveadm is somehow wrongly serving my certificate, truncating it, but I can't see why, and if this is a misconfiguratin on my part. I can post more config files or message outputs if needed, I kept them redacted here for the sake of brevity. Regards, N
Have you specified the path to ca-certificates? On Debian it's normally something like that #10-ssl.conf ssl_client_ca_dir = /etc/ssl/certs see http://wiki.dovecot.org/Replication#SSL Am 10.11.2016 um 16:09 schrieb nerbrume at free.fr:> Hello, > > I'm using dovecot 2.2.13 on Debian stable. > My users are authenticated through PAM, and stored in an LDAP backend > I'm trying to set-up replication with ssl, following (mainly) this : http://wiki2.dovecot.org/Replication > > 1) I only diverted from the instructed setup by not setting "doveadm_port = 12345", as it would give me errors of the like: >> Fatal: /var/run/dovecot/auth-userdb: Configured passdbs don't support crentials lookups (to see if user is proxied, because doveadm_port is set) > but rather specifying the port in the mail_replica setting : "mail_replica = tcps:my.domain.com:1465" > (following a mail from here : http://www.dovecot.org/list/dovecot/2016-September/105356.html) > So far, this seems to be working for me. > > 2) However, I'm having ssl problems. I have a let's encrypt certificate, and have concatened the CA cert and my server cert in a fullchain.pem. > Excerpt from my ssl config : >> ssl = yes >> ssl_cert = </etc/letsencrypt/live/my.domain.com/fullchain.pem >> ssl_key = </etc/letsencrypt/live/my.domain.comi/privkey.pem > > doveadm return me these errors (sudo -u dovecot doveadm -v sync -u user tcps:my.domain.com:12345) : >> doveadm(casoli): Info: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com >> doveadm(casoli): Error: doveadm server disconnected before handshake: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com >> doveadm(casoli): Fatal: Disconnected from remote: Received invalid SSL certificate: unable to get local issuer certificate: /CN=my.domain.com > > Which I can reproduce with openssl (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:12345) : >> (...) >> Verify return code: 21 (unable to verify the first certificate) > Indeed, in this case, dovecot only returns the local part of the certificate (my.domain.com), and not the full chain (with the intermediate CA). > > While testing regular IMAPS with openssl is ok (openssl s_client -showcerts -CApath /etc/ssl/certs -connect my.domain.com:993) >> (...) >> Verify return code: 0 (ok) > And I can see the full chain. > > > So, it's seems to me that doveadm is somehow wrongly serving my certificate, truncating it, but I can't see why, and if this is a misconfiguratin on my part. > I can post more config files or message outputs if needed, I kept them redacted here for the sake of brevity. > > Regards, > N >
----- Mail original -----> De: "Tobi" <tobster at brain-force.ch> > ?: dovecot at dovecot.org > Envoy?: Jeudi 10 Novembre 2016 16:35:56 > Objet: Re: service doveadm : ssl problems > > Have you specified the path to ca-certificates? > On Debian it's normally something like that > > #10-ssl.conf > ssl_client_ca_dir = /etc/ssl/certsYup, I did exactly that, sorry I forgot to include that part in the excerpt from my ssl config. However, as far as I understood, this is of no impact when I test with openssl, right ? (for the record, I also tried to manually add the intermediate ca (Let?s Encrypt Authority X3) in the /etc/ssl/certs dir, without any luck) N.> see http://wiki.dovecot.org/Replication#SSL > > > Am 10.11.2016 um 16:09 schrieb nerbrume at free.fr: > > Hello, > > > > I'm using dovecot 2.2.13 on Debian stable. > > My users are authenticated through PAM, and stored in an LDAP > > backend > > I'm trying to set-up replication with ssl, following (mainly) this > > : http://wiki2.dovecot.org/Replication > > > > 1) I only diverted from the instructed setup by not setting > > "doveadm_port = 12345", as it would give me errors of the like: > >> Fatal: /var/run/dovecot/auth-userdb: Configured passdbs don't > >> support crentials lookups (to see if user is proxied, because > >> doveadm_port is set) > > but rather specifying the port in the mail_replica setting : > > "mail_replica = tcps:my.domain.com:1465" > > (following a mail from here : > > http://www.dovecot.org/list/dovecot/2016-September/105356.html) > > So far, this seems to be working for me. > > > > 2) However, I'm having ssl problems. I have a let's encrypt > > certificate, and have concatened the CA cert and my server cert in > > a fullchain.pem. > > Excerpt from my ssl config : > >> ssl = yes > >> ssl_cert = </etc/letsencrypt/live/my.domain.com/fullchain.pem > >> ssl_key = </etc/letsencrypt/live/my.domain.comi/privkey.pem > > > > doveadm return me these errors (sudo -u dovecot doveadm -v sync -u > > user tcps:my.domain.com:12345) : > >> doveadm(casoli): Info: Received invalid SSL certificate: unable to > >> get local issuer certificate: /CN=my.domain.com > >> doveadm(casoli): Error: doveadm server disconnected before > >> handshake: Received invalid SSL certificate: unable to get local > >> issuer certificate: /CN=my.domain.com > >> doveadm(casoli): Fatal: Disconnected from remote: Received invalid > >> SSL certificate: unable to get local issuer certificate: > >> /CN=my.domain.com > > > > Which I can reproduce with openssl (openssl s_client -showcerts > > -CApath /etc/ssl/certs -connect my.domain.com:12345) : > >> (...) > >> Verify return code: 21 (unable to verify the first certificate) > > Indeed, in this case, dovecot only returns the local part of the > > certificate (my.domain.com), and not the full chain (with the > > intermediate CA). > > > > While testing regular IMAPS with openssl is ok (openssl s_client > > -showcerts -CApath /etc/ssl/certs -connect my.domain.com:993) > >> (...) > >> Verify return code: 0 (ok) > > And I can see the full chain. > > > > > > So, it's seems to me that doveadm is somehow wrongly serving my > > certificate, truncating it, but I can't see why, and if this is a > > misconfiguratin on my part. > > I can post more config files or message outputs if needed, I kept > > them redacted here for the sake of brevity. > > > > Regards, > > N > > >