dovecot - Sep 2018 - Server certificate verification error with Dovecot 2.3.2.1

I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL
certificate authority provides a bundle containing their CA, plus
intermediate CAs, which I configure using the 'ssl_ca' option. The
comments in the configuration file say to only set this when you're
requiring client certificates, which I'm not, but fetchmail complains
with a "Server certificate verification error, Broken certificate
chain"
error if that setting is not set. This works fine with Dovecot 2.2.34.

After upgrading to 2.3.2.1, fetchmail throws that error whether 'ssl_ca'
is set or not. Dovecot 2.3.2.1 reports the error

  SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
  
in the logs when attempting the TLS handshake. The permissions on the CA
bundle haven't changed and should still be readable by Dovecot.

I'm running Gentoo Linux on x86_64 and mail is stored on an ext4 file
system. I'm attaching my config files for both Dovecot 2.2.34 and
Dovecot 2.3.2.1.
-------------- next part --------------
# 2.2.34 (874deae): /etc/dovecot/dovecot.conf
# OS: Linux 4.9.95-gentoo x86_64 Gentoo Base System release 2.4.1 
# Hostname: hermes.ultramedonline.com
mail_access_groups = mail
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%n
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = *
  driver = pam
}
passdb {
  args = scheme=sha512-crypt username_format=%n /etc/mail/passwd
  driver = passwd-file
}
ssl_ca = </etc/ssl/local/certs/gd_bundle-g2-g1.crt
ssl_cert = </etc/ssl/local/certs/wildcard.crt
ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
ssl_dh_parameters_length = 4096
ssl_key =  # hidden, use -P to show it
userdb {
  driver = passwd
}
userdb {
  args = username_format=%n /etc/mail/passwd
  default_fields = uid=vmail gid=vmail home=/var/spool/vmail/%n
  driver = passwd-file
}
-------------- next part --------------
# 2.3.2.1 (0719df592): /etc/dovecot/dovecot.conf
# OS: Linux 4.9.95-gentoo x86_64 Gentoo Base System release 2.4.1 
# Hostname: hermes.ultramedonline.com
mail_access_groups = mail
mail_location = mbox:~/mail:INBOX=/var/spool/mail/%n
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = *
  driver = pam
}
passdb {
  args = scheme=sha512-crypt username_format=%n /etc/mail/passwd
  driver = passwd-file
}
ssl_ca = </etc/ssl/local/certs/gd_bundle-g2-g1.crt
ssl_cert = </etc/ssl/local/certs/wildcard.crt
ssl_cipher_list = DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
ssl_dh =  # hidden, use -P to show it
ssl_key =  # hidden, use -P to show it
userdb {
  driver = passwd
}
userdb {
  args = username_format=%n /etc/mail/passwd
  default_fields = uid=vmail gid=vmail home=/var/spool/vmail/%n
  driver = passwd-file
}

You are supposed to put the intermediates into the cert file after the cert in
order from cert to root. ssl_ca is not used for this.
---Aki TuomiDovecot oy
-------- Original message --------From: Robert Gill <locke at
sdf.lonestar.org> Date: 13/09/2018  01:00  (GMT+02:00) To: dovecot at
dovecot.org Subject: Server certificate verification error with Dovecot 2.3.2.1
I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL
certificate authority provides a bundle containing their CA, plus
intermediate CAs, which I configure using the 'ssl_ca' option. The
comments in the configuration file say to only set this when you're
requiring client certificates, which I'm not, but fetchmail complains
with a "Server certificate verification error, Broken certificate
chain"
error if that setting is not set. This works fine with Dovecot 2.2.34.

After upgrading to 2.3.2.1, fetchmail throws that error whether 'ssl_ca'
is set or not. Dovecot 2.3.2.1 reports the error

? SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
? 
in the logs when attempting the TLS handshake. The permissions on the CA
bundle haven't changed and should still be readable by Dovecot.

I'm running Gentoo Linux on x86_64 and mail is stored on an ext4 file
system. I'm attaching my config files for both Dovecot 2.2.34 and
Dovecot 2.3.2.1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20180913/b989f759/attachment.html>

On Wed, 12 Sep 2018, Robert Gill wrote:
> I'm attempting to upgrade my Dovecot installation to 2.3.2.1. My SSL
> certificate authority provides a bundle containing their CA, plus
> intermediate CAs, which I configure using the 'ssl_ca' option. The
> comments in the configuration file say to only set this when you're
> requiring client certificates, which I'm not, but fetchmail complains
> with a "Server certificate verification error, Broken certificate
chain"
> error if that setting is not set. This works fine with Dovecot 2.2.34.
Try creating your certificate by appending all your server and
intermediate certs in this order into one file

 	server certificate
 	intermediate certificate 1
 	intermediate certificate 2
 	...

where the chain works toward the root CA.  You don't need the root CA as
your client ought to anchor the chain with its own CA store.  Then set
the value of ssl_cert to this file.

Joseph Tam <jtam.home at gmail.com>

On Thu, Sep 13, 2018 at 05:59:16AM +0300, Aki Tuomi
wrote:
> You are supposed to put the intermediates into the cert file after the
> cert in order from cert to root. ssl_ca is not used for this.
> ---Aki TuomiDovecot oy
On Wed, Sep 12, 2018 at 11:43:23PM -0700, Joseph Tam
wrote:
> Try creating your certificate by appending all your server and
> intermediate certs in this order into one file
> 
>       server certificate
>       intermediate certificate 1
>       intermediate certificate 2
>       ...
> 
> where the chain works toward the root CA.  You don't need the root CA
> as your client ought to anchor the chain with its own CA store.  Then
> set the value of ssl_cert to this file.
> 
> Joseph Tam <jtam.home at gmail.com>
Thanks, I concatenated the CA bundle onto my cert file and everything
seems to work now.