David Favor
2018-Feb-25 16:31 UTC
Unexpected config results with local_name + multiple SSL certs
Working with SSL on fresh install of latest Ubuntu Artful + Dovecot seems broken somehow. Application is Dovecot listening for many SSL sites... Likely I've missed adding something simple to the config, related to local_name usage. Be great if someone can point out what I've missed, to setup multiple SSL certs for different host.domain entries in config. Thanks. _______ This works as expected... where the SNI server name is returned... #local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem #} service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject subject=/CN=imap.cydec.com _______ This fails... local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem } service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject # Empty, so no servername match _______ Full openssl output shows no cert being returned... service dovecot restart && echo QUIT | openssl s_client -connect imap.cydec.com:993 -servername imap.cydec.com CONNECTED(00000004) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 199 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1519576210 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- _______ Config seems correct, with local_name uncommented... dovecot -n # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf # Pigeonhole version 0.4.16 (fed8554) # OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10 auth_debug = yes auth_debug_passwords = yes auth_verbose = yes debug_log_path = /var/log/dovecot.log disable_plaintext_auth = no info_log_path = /var/log/dovecot.log log_path = /var/log/dovecot.log mail_debug = yes mail_location = mbox:~/mail:INBOX=/var/mail/%u namespace inbox { inbox = yes location mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix } passdb { args = dovecot driver = pam } protocols = " imap pop3" service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } } userdb { driver = passwd } local_name imap.cydec.com { ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem ssl_key = # hidden, use -P to show it }
David Favor
2018-Mar-09 21:47 UTC
Unexpected config results with local_name + multiple SSL certs
David Favor wrote:> Working with SSL on fresh install of latest Ubuntu Artful + Dovecot > seems broken somehow. > > Application is Dovecot listening for many SSL sites... > > Likely I've missed adding something simple to the config, related > to local_name usage. > > Be great if someone can point out what I've missed, to setup > multiple SSL certs for different host.domain entries in config. > > Thanks. > _______ > > This works as expected... where the SNI server name is returned... > > #local_name imap.cydec.com { > ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem > ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem > #} > > service dovecot restart && echo QUIT | openssl s_client -connect > imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject > subject=/CN=imap.cydec.com > _______ > > This fails... > > local_name imap.cydec.com { > ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem > ssl_key = </etc/letsencrypt/live/imap.cydec.com/privkey.pem > } > > service dovecot restart && echo QUIT | openssl s_client -connect > imap.cydec.com:993 -servername imap.cydec.com 2>&1 | egrep ^subject > # Empty, so no servername match > _______ > > Full openssl output shows no cert being returned... > > service dovecot restart && echo QUIT | openssl s_client -connect > imap.cydec.com:993 -servername imap.cydec.com > CONNECTED(00000004) > write:errno=104 > --- > no peer certificate available > --- > No client certificate CA names sent > --- > SSL handshake has read 0 bytes and written 199 bytes > Verification: OK > --- > New, (NONE), Cipher is (NONE) > Secure Renegotiation IS NOT supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : 0000 > Session-ID: > Session-ID-ctx: > Master-Key: > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1519576210 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > --- > > _______ > > Config seems correct, with local_name uncommented... > > dovecot -n > # 2.2.27 (c0f36b0): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.4.16 (fed8554) > # OS: Linux 4.13.0-36-generic x86_64 Ubuntu 17.10 > auth_debug = yes > auth_debug_passwords = yes > auth_verbose = yes > debug_log_path = /var/log/dovecot.log > disable_plaintext_auth = no > info_log_path = /var/log/dovecot.log > log_path = /var/log/dovecot.log > mail_debug = yes > mail_location = mbox:~/mail:INBOX=/var/mail/%u > namespace inbox { > inbox = yes > location > mailbox Drafts { > special_use = \Drafts > } > mailbox Junk { > special_use = \Junk > } > mailbox Sent { > special_use = \Sent > } > mailbox "Sent Messages" { > special_use = \Sent > } > mailbox Trash { > special_use = \Trash > } > prefix > } > passdb { > args = dovecot > driver = pam > } > protocols = " imap pop3" > service imap-login { > inet_listener imap { > port = 0 > } > inet_listener imaps { > port = 993 > ssl = yes > } > } > service pop3-login { > inet_listener pop3 { > port = 0 > } > inet_listener pop3s { > port = 995 > ssl = yes > } > } > userdb { > driver = passwd > } > local_name imap.cydec.com { > ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem > ssl_key = # hidden, use -P to show it > }Be great if someone has suggestions of how to fix this. Thanks.
@lbutlr
2018-Mar-10 03:58 UTC
Unexpected config results with local_name + multiple SSL certs
On 2018-02-25 (09:31 MST), David Favor <david at davidfavor.com> wrote:> > } > local_name imap.cydec.com { > ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem > ssl_key = # hidden, use -P to show it > }Doesn't this still require a default t(top level) cert besides the one specified for local_name? Also, is there any reason to use local_name if your local name matches your server? the point is to be able to provide a cert for example.org when your domain is example.com, right? -- Don't congratulate yourself too much, or berate yourself either. You choices are half chance; so are everybody else's.
Aki Tuomi
2018-Mar-10 05:37 UTC
Unexpected config results with local_name + multiple SSL certs
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 10 March 2018 at 05:58 "@lbutlr" < <a href="mailto:kremels@kreme.com">kremels@kreme.com</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> On 2018-02-25 (09:31 MST), David Favor < <a href="mailto:david@davidfavor.com">david@davidfavor.com</a>> wrote: </div> <blockquote type="cite"> <div> } </div> <div> local_name imap.cydec.com { </div> <div> ssl_cert = </etc/letsencrypt/live/imap.cydec.com/fullchain.pem </div> <div> ssl_key = # hidden, use -P to show it </div> <div> } </div> </blockquote> <div> Doesn't this still require a default t(top level) cert besides the one specified for local_name? </div> <div> <br> </div> <div> Also, is there any reason to use local_name if your local name matches your server? the point is to be able to provide a cert for example.org when your domain is example.com, right? </div> <div> <br> </div> <div> -- </div> <div> Don't congratulate yourself too much, or berate yourself either. You </div> <div> choices are half chance; so are everybody else's. </div> <div> <br> </div> </blockquote> <div> <br> </div> <div> A default cert is always needed. If you have only one certificate don't use local_name. </div> <div class="io-ox-signature"> --- <br>Aki Tuomi </div> </body> </html>
Apparently Analagous Threads
- Unexpected config results with local_name + multiple SSL certs
- Warning: Global setting won't change the setting inside an earlier filter
- SNI Dovecot
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird