Hello! Dovecot manages different domains. Today I renewed the certifiactes from letsencrypt and since that time, dovecot does not recognized the certs for different domains anymore: This is part of my config: ssl = yes ssl_cert = < /etc/letsencrypt/live/bitcorner.de/fullchain.pem ssl_key = < /etc/letsencrypt/live/bitcorner.de/privkey.pem local 37.120.166.21 { # instead of IP you can also use hostname, which will be resolved protocol imap { ssl_cert = < /etc/letsencrypt/live/bitcorner.de/fullchain.pem ssl_key = < /etc/letsencrypt/live/bitcorner.de/privkey.pem } } local 46.38.231.143 { protocol imap { ssl_cert = < /etc/letsencrypt/live/nimmini.de/fullchain.pem ssl_key = < /etc/letsencrypt/live/nimmini.de/privkey.pem } } This worked for years and I don't know what's wrong now. It seems dovecot just takes the default certs into account and ignores the certs defined with "local" completly. Any help appreciated. Kind regards Andreas -- PGP-Fingerprint: F004 8EEE 5E54 F2EA 566E B939 22E5 85DD AA14 AC0A -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 213 bytes Desc: Digitale Signatur von OpenPGP URL: <https://dovecot.org/pipermail/dovecot/attachments/20181227/c0374556/attachment.sig>
What problem are you seeing? It uses the correct SSL certs when I connect. prompt> gnutls-cli --port 993 mail.nimmini.de Processed 149 CA certificate(s). Resolving 'mail.nimmini.de:993'... Connecting to '46.38.231.143:993'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=nimmini.de', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x049c7758b8b9555ffdfe5b701b28c1e0a3c6, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-12-26 21:37:59 UTC', expires `2019-03-26 21:37:59 UTC', pin-sha256="0G1iyw4AAayWktCk3M9gauB01s4guqgidOQotb1u49I=" Public Key ID: sha1:e03d4c14e735791a4a0924057676bee73b5e199f sha256:d06d62cb0e0001ac9692d0a4dccf606ae074d6ce20baa82274e428b5bd6ee3d2 Public Key PIN: pin-sha256:0G1iyw4AAayWktCk3M9gauB01s4guqgidOQotb1u49I - Certificate[1] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA256)-(AES-256-GCM) - Session ID: 0B:1D:9F:A2:73:92:FA:E7:02:08:98:49:14:A6:69:1B:2D:D4:30:F0:62:A9:AF:B2:4C:B7:79:94:CF:3E:41:A2 - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=CRAM-MD5] Dovecot ready. . logout - Peer has closed the GnuTLS connection prompt> gnutls-cli --port 993 mail.bitcorner.de Processed 149 CA certificate(s). Resolving 'mail.bitcorner.de:993'... Connecting to '37.120.166.21:993'... - Certificate type: X.509 - Got a certificate list of 2 certificates. - Certificate[0] info: - subject `CN=bitcorner.de', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x046f144c168497bce339d1dc4abab194139f, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-12-26 20:46:48 UTC', expires `2019-03-26 20:46:48 UTC', pin-sha256="wZrqFPu/9op8PgqIkm0oK5VoNDPfOzWkX45rNf9IIHk=" Public Key ID: sha1:5d5172ccea888d3340a158eff2c2cb3cb4ccac23 sha256:c19aea14fbbff68a7c3e0a88926d282b95683433df3b35a45f8e6b35ff482079 Public Key PIN: pin-sha256:wZrqFPu/9op8PgqIkm0oK5VoNDPfOzWkX45rNf9IIHk - Certificate[1] info: - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" - Status: The certificate is trusted. - Description: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA256)-(AES-256-GCM) - Session ID: B4:69:62:88:14:52:1A:54:A5:E9:42:F1:7A:4D:3D:EB:4E:90:D0:07:28:1B:2F:16:A1:BE:45:2C:B6:68:AE:1E - Options: safe renegotiation, - Handshake was completed - Simple Client Mode: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=CRAM-MD5] Dovecot ready. . logout - Peer has closed the GnuTLS connection -- Greg -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part URL: <https://dovecot.org/pipermail/dovecot/attachments/20181227/8dd2dfcc/attachment-0001.sig>
Hello! Greg Wildman <lists at itns.co.za> schrieb am 27.12.18 um 11:21:55 Uhr:> What problem are you seeing? It uses the correct SSL certs when I > connect. > > prompt> gnutls-cli --port 993 mail.nimmini.de > Processed 149 CA certificate(s). > Resolving 'mail.nimmini.de:993'... > Connecting to '46.38.231.143:993'... > - Certificate type: X.509 > - Got a certificate list of 2 certificates. > - Certificate[0] info: > - subject `CN=nimmini.de', issuer `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', serial 0x049c7758b8b9555ffdfe5b701b28c1e0a3c6, RSA key 2048 bits, signed using RSA-SHA256, activated `2018-12-26 21:37:59 UTC', expires `2019-03-26 21:37:59 UTC', pin-sha256="0G1iyw4AAayWktCk3M9gauB01s4guqgidOQotb1u49I=" > Public Key ID: > sha1:e03d4c14e735791a4a0924057676bee73b5e199f > sha256:d06d62cb0e0001ac9692d0a4dccf606ae074d6ce20baa82274e428b5bd6ee3d2 > Public Key PIN: > pin-sha256:0G1iyw4AAayWktCk3M9gauB01s4guqgidOQotb1u49I> > - Certificate[1] info: > - subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256, activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC', pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=" > - Status: The certificate is trusted. > - Description: (TLS1.2)-(ECDHE-SECP384R1)-(RSA-SHA256)-(AES-256-GCM) > - Session ID: 0B:1D:9F:A2:73:92:FA:E7:02:08:98:49:14:A6:69:1B:2D:D4:30:F0:62:A9:AF:B2:4C:B7:79:94:CF:3E:41:A2 > - Options: safe renegotiation, > - Handshake was completed > > - Simple Client Mode: > > * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=CRAM-MD5] Dovecot ready. > . logout > - Peer has closed the GnuTLS connectionThank you for your investigation! It turned out there was a problem on the server with IPv6 binding to the wrong virtual network-interface. Everthing's running smoothly so far although there is still a problem adding the right IPv6-address additionally to the IPv4-address. Kind regards Andreas -- PGP-Fingerprint: F004 8EEE 5E54 F2EA 566E B939 22E5 85DD AA14 AC0A -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 213 bytes Desc: Digitale Signatur von OpenPGP URL: <https://dovecot.org/pipermail/dovecot/attachments/20181227/596c5e38/attachment.sig>