<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello,<br/> <br/> using letsencrypt ssl certs with san works perfectly with 2.2.34, but<br/> after uprading to 2.3.4.1 it couldn't verified (also tried v2.3.7.1).<br/> <br/> i connect to imap.myserver.lan<br/> <br/> the cn of the cert is myserver.lan and has the san imap.myserver.lan<br/> <br/> openssl s_client -connect imap.myserver.lan:993<br/> CONNECTED(00000005)<br/> depth=0 CN = imap.myserver.lan<br/> verify error:num=20:unable to get local issuer certificate<br/> verify return:1<br/> depth=0 CN = imap.myserver.lan<br/> verify error:num=21:unable to verify the first certificate<br/> verify return:1<br/> ---<br/> Certificate chain<br/> 0 s:CN = imap.myserver.lan<br/> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3</div> <div> </div> <div>if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's working with 2.3.X</div> <div>ssl_ca = </etc/ssl/ca-bundle.pem<br/> ssl_cert = </etc/ssl-imap.pem</div></div></body></html>
> On 06/08/2019 22:49 telsch via dovecot <dovecot at dovecot.org> wrote: > > > Hello, > > using letsencrypt ssl certs with san works perfectly with 2.2.34, but > after uprading to 2.3.4.1 it couldn't verified (also tried v2.3.7.1). > > i connect to imap.myserver.lan > > the cn of the cert is myserver.lan and has the san imap.myserver.lan > > openssl s_client -connect imap.myserver.lan:993 > CONNECTED(00000005) > depth=0 CN = imap.myserver.lan > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 CN = imap.myserver.lan > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:CN = imap.myserver.lan > i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > > > if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's working with 2.3.X > > ssl_ca = </etc/ssl/ca-bundle.pem > ssl_cert = </etc/ssl-imap.pemssl_ca is not supposed to be automatically cat'ed into the certificate. The correct way is to put cert and leafs to the cert in order towrads root into ssl-imap.pem. ssl_ca is intended for verifying clients connecting to the server. Aki
On Tue, 6 Aug 2019, telsch wrote:> if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's working with 2.3.X > ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pemIn the words of Montoya, "I do not think it means what you think it means", referring to "ssl_ca". That file is not used to to establish the trust chain to your server certificate, but rather, to your client's certificates (e.g. if you run a local CA to issue user certificate for mutual authentication, you would put your local CA certificate here). (Maybe this config variable should be renamed "ssl_client_ca".) Appending intermediate and server certificates is what you're supposed to do. Joseph Tam <jtam.home at gmail.com>
<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div>
    On 07/08/2019 00:37 Joseph Tam via dovecot <
    <a
href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>>
wrote:
   </div>
   <div>
    <br>
   </div>
   <div>
    <br>
   </div>
   <div>
    On Tue, 6 Aug 2019, telsch wrote:
   </div>
   <div>
    <br>
   </div>
   <blockquote type="cite">
    <div>
     if i cat ssl_ca and ssl_cert into one file and only use ssl_cert it's
working with 2.3.X
    </div>
    <div>
     ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem
    </div>
   </blockquote>
   <div>
    In the words of Montoya, "I do not think it means what you think it
   </div>
   <div>
    means", referring to "ssl_ca". That file is not used to to
establish
   </div>
   <div>
    the trust chain to your server certificate, but rather, to your client's
   </div>
   <div>
    certificates (e.g. if you run a local CA to issue user certificate
   </div>
   <div>
    for mutual authentication, you would put your local CA certificate here).
   </div>
   <div>
    <br>
   </div>
   <div>
    (Maybe this config variable should be renamed "ssl_client_ca".)
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div>
   ... except there already is ssl_client_ca_* settings used to validate
connections from dovecot.
  </div>
  <div>
   <br>
  </div>
  <blockquote type="cite">
   <div></div>
   <div>
    Appending intermediate and server certificates is what you're supposed
   </div>
   <div>
    to do.
   </div>
   <div>
    <br>
   </div>
   <div>
    Joseph Tam <
    <a
href="mailto:jtam.home@gmail.com">jtam.home@gmail.com</a>>
   </div>
  </blockquote>
  <div>
   <br>
  </div>
  <div class="io-ox-signature">
   <pre>---
Aki Tuomi</pre>
  </div> 
 </body>
</html>
with v2.2.34 i can use: ssl_ca = </etc/ssl/ca-bundle.pem ssl_cert = </etc/ssl-imap.pem after upgrade to v2.3.X it doesn't work like before. it's working if i manual cat ca-bundle.pem and ssl-imap.pem into one file and using only: ssl_cert = </etc/ssl-imap.pem i thought ssl_ca is where to put the intermediate cert?
> On 07/08/2019 14:28 telsch <telsch at gmx.de> wrote: > > > with v2.2.34 i can use: > > ssl_ca = </etc/ssl/ca-bundle.pem > ssl_cert = </etc/ssl-imap.pem > > after upgrade to v2.3.X it doesn't work like before. > > it's working if i manual cat ca-bundle.pem and ssl-imap.pem into one > file and using only: > > ssl_cert = </etc/ssl-imap.pem > > i thought ssl_ca is where to put the intermediate cert?(Sorry for duplicate mail, keyboard acted up...) No, that has always been a mistake and it was fixed in 2.3. Our SSL pages in documentation & wiki have always recommended concatenating the intermediates with the cert. Aki
ok thanks for clarification> > No, that has always been a mistake and it was fixed in 2.3. Our SSL pages in documentation & wiki have always recommended concatenating the intermediates with the cert. > > Aki >
On Wed, 7 Aug 2019 20:24:13 +0300 (EEST), Aki Tuomi via dovecot wrote:>> i thought ssl_ca is where to put the intermediate cert?Well, it surely worked that way until v2.3...> (Sorry for duplicate mail, keyboard acted up...) > > No, that has always been a mistake and it was fixed in 2.3. Our SSL > pages in documentation & wiki have always recommended concatenating > the intermediates with the cert.Aki, after the issue came up last time <http://dovecot.2317879.n4.nabble.com/dovecot-2-2-openssl-1-0-vs-dovecot-2-3-openssl-1-1-1-ssl-regression-tt65322.html#none>, you appeared to have changed your mind? What happened? Cheerio, Hauke -- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut f?r Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344