Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem I got a warning of course when using my second domain, mydomain2.fr. If I do the config : local_name mail.mydomain.fr { ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem } local_name mail.mydomain2.fr { ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem } I got this on dovecot's start : dovecot[930]: master: Error: service(imap-login): command startup failed, throttling for 8 secs dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY It's working without local_name, so why it can be a certificate issue? Any idea? I'm using dovecot 2.2.27-3+deb9u2 from debian. Thanks, Nicolas -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180829/fad898c8/attachment.html>
You need to provide a global certificate as well. ---Aki TuomiDovecot oy -------- Original message --------From: Nicolas <nicolas at shivaserv.fr> Date: 29/08/2018 17:41 (GMT+02:00) To: dovecot at dovecot.org Subject: SNI Dovecot Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem I got a warning of course when using my second domain, mydomain2.fr. If I do the config : local_name mail.mydomain.fr { ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem } local_name mail.mydomain2.fr { ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem } I got this on dovecot's start : dovecot[930]: master: Error: service(imap-login): command startup failed, throttling for 8 secs dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY It's working without local_name, so why it can be a certificate issue? Any idea? I'm using dovecot 2.2.27-3+deb9u2 from debian. Thanks, Nicolas -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180829/2575a248/attachment.html>
FYI? dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send SNI.?As you are using version 2.2.27 you might encounter the same behaviour. If the client won't send SNI, my server randomly answers with any cert instead of?the default cert,? --Perhaps dovecot just utilises the last used cert? One speciality?of my certs is, that both share the same Common Name (CN) but differ in?Subject Alternative Names (SAN). Once your config works, you can check by initialising several connections?(I tried 30 times) without SNI using openssl. First command is without SNI,?second is with SNI. $ openssl s_client -showcerts -connect IP-address:993 $ openssl s_client -showcerts -connect IP-address:993 -servername server.domain? This is my bugreport on this list.https://dovecot.org/pipermail/dovecot /2018-July/112368.html Best regardsMartin Johannes Dauser On Wed, 2018-08-29 at 14:41 +0000, Nicolas wrote:> ?Hi all, > > I'm testing the SNI configuration from dovecot's wiki page, to have > multiple domains. > > I'm using letsencrypt certificates. > ? On the 10-ssl.conf, when I only use one domain, like this, it works > : > > ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem > ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem > ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem > > I got a warning of course when using my second domain, mydomain2.fr. > > If I do the config : > > local_name mail.mydomain.fr { > ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem > ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem > ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem > } > > local_name mail.mydomain2.fr { > ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem > ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem > ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem > } > > I got this on dovecot's start : > > dovecot[930]: master: Error: service(imap-login): command startup > failed, throttling for 8 secs > dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key: > error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: > ANY PRIVATE KEY > > It's working without local_name, so why it can be a certificate > issue? > > Any idea? > > I'm using dovecot 2.2.27-3+deb9u2 from debian. > > > > Thanks, > Nicola?-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180831/614c946f/attachment.html>
2.2.10 is quite old. try reproducing this with .36 or 2.3.2.1 ---Aki TuomiDovecot oy -------- Original message --------From: Martin Johannes Dauser <mdauser at cs.sbg.ac.at> Date: 31/08/2018 13:10 (GMT+02:00) To: dovecot at dovecot.org Subject: Re: SNI Dovecot FYI dovecot 2.2.10 from RedHat 7 has an issue with clients, which won't send SNI.?As you are using version 2.2.27 you might encounter the same behaviour. If the client won't send SNI, my server randomly answers with any cert instead of?the default cert,? --Perhaps dovecot just utilises the last used cert? One speciality?of my certs is, that both share the same Common Name (CN) but differ in?Subject Alternative Names (SAN). Once your config works, you can check by initialising several connections?(I tried 30 times) without SNI using openssl. First command is without SNI,?second is with SNI. $ openssl s_client -showcerts -connect IP-address:993 $ openssl s_client -showcerts -connect IP-address:993 -servername server.domain? This is my bugreport on this list.https://dovecot.org/pipermail/dovecot/2018-July/112368.html Best regardsMartin Johannes Dauser On Wed, 2018-08-29 at 14:41 +0000, Nicolas wrote: Hi all, I'm testing the SNI configuration from dovecot's wiki page, to have multiple domains. I'm using letsencrypt certificates. On the 10-ssl.conf, when I only use one domain, like this, it works : ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem I got a warning of course when using my second domain, mydomain2.fr. If I do the config : local_name mail.mydomain.fr { ssl_ca = </etc/letsencrypt/live/mail.mydomain.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain.fr/privkey.pem } local_name mail.mydomain2.fr { ssl_ca = </etc/letsencrypt/live/mail.mydomain2.fr/chain.pem ssl_cert = </etc/letsencrypt/live/mail.mydomain2.fr/cert.pem ssl_key = </etc/letsencrypt/live/mail.mydomain2.fr/privkey.pem } I got this on dovecot's start : dovecot[930]: master: Error: service(imap-login): command startup failed, throttling for 8 secs dovecot[932]: imap-login: Fatal: Couldn't parse private ssl_key: error:0906D06C:PEM routines:PEM_read_bio:no start line: Expecting: ANY PRIVATE KEY It's working without local_name, so why it can be a certificate issue? Any idea? I'm using dovecot 2.2.27-3+deb9u2 from debian. Thanks, Nicola -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180831/051b58ac/attachment.html>
Reasonably Related Threads
- SNI Dovecot
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
- dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI
- Multiple certificate option SNI