Hi all,
I'm testing the SNI configuration from dovecot's wiki page, to have
multiple domains.
I'm using letsencrypt certificates.
On the 10-ssl.conf, when I only use one domain, like this, it works :
ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem
I got a warning of course when using my second domain, mydomain2.fr.
If I do the config :
local_name mail.mydomain.fr {
ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem
}
local_name mail.mydomain2.fr {
ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem
}
I got this on dovecot's start :
dovecot[930]: master: Error: service(imap-login): command startup failed,
throttling for 8 secs
dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE
KEY
It's working without local_name, so why it can be a certificate issue?
Any idea?
I'm using dovecot 2.2.27-3+deb9u2 from debian.
Thanks,
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180829/fad898c8/attachment.html>
You need to provide a global certificate as well.
---Aki TuomiDovecot oy
-------- Original message --------From: Nicolas <nicolas at shivaserv.fr>
Date: 29/08/2018 17:41 (GMT+02:00) To: dovecot at dovecot.org Subject: SNI
Dovecot
Hi all,
I'm testing the SNI configuration from dovecot's wiki page, to have
multiple domains.
I'm using letsencrypt certificates.
On the 10-ssl.conf, when I only use one domain, like this, it works :
ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem
I got a warning of course when using my second domain, mydomain2.fr.
If I do the config :
local_name mail.mydomain.fr {
ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem
}
local_name mail.mydomain2.fr {
ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem
}
I got this on dovecot's start :
dovecot[930]: master: Error: service(imap-login): command startup failed,
throttling for 8 secs
dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE
KEY
It's working without local_name, so why it can be a certificate issue?
Any idea?
I'm using dovecot 2.2.27-3+deb9u2 from debian.
Thanks,
Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180829/2575a248/attachment.html>
FYI? dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send SNI.?As you are using version 2.2.27 you might encounter the same behaviour. If the client won't send SNI, my server randomly answers with any cert instead of?the default cert,? --Perhaps dovecot just utilises the last used cert? One speciality?of my certs is, that both share the same Common Name (CN) but differ in?Subject Alternative Names (SAN). Once your config works, you can check by initialising several connections?(I tried 30 times) without SNI using openssl. First command is without SNI,?second is with SNI. $ openssl s_client -showcerts -connect IP-address:993 $ openssl s_client -showcerts -connect IP-address:993 -servername server.domain? This is my bugreport on this list.https://dovecot.org/pipermail/dovecot /2018-July/112368.html Best regardsMartin Johannes Dauser On Wed, 2018-08-29 at 14:41 +0000, Nicolas wrote:> ?Hi all, > > I'm testing the SNI configuration from dovecot's wiki page, to have > multiple domains. > > I'm using letsencrypt certificates. > ? On the 10-ssl.conf, when I only use one domain, like this, it works > : > > ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem > ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem > ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem > > I got a warning of course when using my second domain, mydomain2.fr. > > If I do the config : > > local_name mail.mydomain.fr { > ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem > ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem > ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem > } > > local_name mail.mydomain2.fr { > ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem > ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem > ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem > } > > I got this on dovecot's start : > > dovecot[930]: master: Error: service(imap-login): command startup > failed, throttling for 8 secs > dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key: > error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: > ANY PRIVATE KEY > > It's working without local_name, so why it can be a certificate > issue? > > Any idea? > > I'm using dovecot 2.2.27-3+deb9u2 from debian. > > > > Thanks, > Nicola?-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180831/614c946f/attachment.html>
2.2.10 is quite old. try reproducing this with .36 or 2.3.2.1
---Aki TuomiDovecot oy
-------- Original message --------From: Martin Johannes Dauser <mdauser at
cs.sbg.ac.at> Date: 31/08/2018 13:10 (GMT+02:00) To: dovecot at dovecot.org
Subject: Re: SNI Dovecot
FYI
dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send
SNI.?As you are using version 2.2.27 you might encounter the same behaviour.
If the client won't send SNI, my server randomly answers with any cert
instead of?the default cert,? --Perhaps dovecot just utilises the last used
cert? One speciality?of my certs is, that both share the same Common Name (CN)
but differ in?Subject Alternative Names (SAN).
Once your config works, you can check by initialising several connections?(I
tried 30 times) without SNI using openssl. First command is without SNI,?second
is with SNI.
$ openssl s_client -showcerts -connect IP-address:993
$ openssl s_client -showcerts -connect IP-address:993 -servername server.domain?
This is my bugreport on this
list.https://dovecot.org/pipermail/dovecot/2018-July/112368.html
Best regardsMartin Johannes Dauser
On Wed, 2018-08-29 at 14:41 +0000, Nicolas wrote:
Hi all,
I'm testing the SNI configuration from dovecot's wiki page, to have
multiple domains.
I'm using letsencrypt certificates.
On the 10-ssl.conf, when I only use one domain, like this, it works :
ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem
I got a warning of course when using my second domain, mydomain2.fr.
If I do the config :
local_name mail.mydomain.fr {
ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem
}
local_name mail.mydomain2.fr {
ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem
ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem
ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem
}
I got this on dovecot's start :
dovecot[930]: master: Error: service(imap-login): command startup failed,
throttling for 8 secs
dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key:
error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE
KEY
It's working without local_name, so why it can be a certificate issue?
Any idea?
I'm using dovecot 2.2.27-3+deb9u2 from debian.
Thanks,
Nicola
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180831/051b58ac/attachment.html>
Possibly Parallel Threads
- SNI Dovecot
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
- Multiple certificate option SNI