I changed some of the tls options following the document, now config is following: tokeninfo_url https://keycloak.com/auth/realms/mail/protocol/openid-connect/token introspection_url https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect introspection_mode = post debug = yes rawlog_dir = /tmp/oauth2 #force_introspection = yes username_attribute = username #active_attribute = active #active_value = true tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem tls_key_file = /etc/pki/dovecot/private/dovecot.pem --------------- The debug log is showing now slightly different msg ex: Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate. Still not able to connect to the keyclaok server. :( PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured. Thanks! Mizuki On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> Before declaring it not ready for prime time, did you try setting > > tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > > In the oauth2 configuration file as documented in > https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? > > Aki > > > On 05/12/2019 21:58 mizuki via dovecot <dovecot at dovecot.org> wrote: > > > > > > Hi all, > > > > We'd like to enable OAuth with Keycloak in Dovecot, after enabling > 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm > Dovecot is ready for OAuth using openssl command, however when the auth > request comes in, it failed in establishing a SSL connection with Keycloak > server on port 443, shown as following in debug logs. I can confirming > using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl > -v https://<keycloak_server/' all returns normal and no errors. Altering > some of the SSL options in dovecot such as 'ssl_ca > </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file > </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are > NOT self-signed but signed the legit authorities. So I'm not sure why > dovecot could not establish the connections. > > > > Debug logs: > > ---------------------------------------------------- > > Dec 5 14:32:07 mktst4 dovecot: auth: Debug: auth client connected > (pid=16554) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: client in: > AUTH#0111#011OAUTHBEARER#011service=imap#011secured#011session=QPwA/fmY+tqCx5Tr#011lip=130.199.148.187#011rip=10.0.2.1#011lport=993#011rport=56058#011resp=bixhPW1penVraQFob3N0PW1rdHN0NC5zZGNjLmJubC5nb3YBcG9ydD05OTMBYXV0aD1CZWFyZXIgZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJZ09pQWlTbGRVSWl3aWEybGtJaUE2SUNKcmRHeE5TSFZtYkc1NFZUUmlSR1pLTm5kSGRteFBNVVYxWWxWd2FreEZVVmhIY25GTU5UYzNhSEJSSW4wLmV5SnFkR2tpT2lJNE5XSmxZV05tTkMxak1tTmxMVFJtTkRJdFltUTRNUzAxTnpWaU4yRmpZV05sT1RnaUxDSmxlSEFpT2pFMU56VTJNVEF5TURnc0ltNWlaaUk2TUN3aWFXRjBJam94TlRjMU5UYzBNakE0TENKcGMzTWlPaUpvZEhSd2N6b3ZMMnRsZVdOc2IyRnJNaTV6WkdOakxtSnViQzVuYjNZdllYVjBhQzl5WldGc2JYTXZiV0ZwYkNJc0ltRjFaQ0k2SW1GalkyOTFiblFpTENKemRXSWlPaUkyTmpWa05EVTNNeTA0WVdFMUxUUmtPRFl0WW1NelppMHlaVEpqTWpOaU16WTJORFVpTENKMGVYQWlPaUpDWldGeVpYSWlMQ0poZW5BaU9pSmtiM1psWTI5MElpd2lZWFYwYUY5MGFXMWxJam93TENKelpYTnphVzl1WDNOMFlYUmxJam9pT1RNNE5XRTVOakF0TUROa1pDMDBPR05sTFdFeU4yUXRZVFkzWkdZME5tUXhaRGcxSWl3aVlXTnlJam9pTVNJc0luSmxZV3h0WDJGalkyVnpjeUk2ZXlKeWIyeGxjeUk2V3lKdlptWnNhVzVsWDJGalkyVnpjeUlzSW5WdFlWOWhkWFJvYjNKcGVtRjBhVzl1SWwxOUxDSnlaWE52ZFhKalpWOWhZMk5sYzNNaU9uc2lZV05qYjNWdWRDSTZleUp5YjJ4bGN5STZXeUp0WVc1aFoyVXRZV05qYjNWdWRDSXNJbTFoYm1GblpTMWhZMk52ZFc1MExXeHBibXR6SWl3aWRtbGxkeTF3Y205bWFXeGxJbDE5ZlN3aWMyTnZjR1VpT2lKd2NtOW1hV3hsSUdWdFlXbHNJaXdpWlcxaGFXeGZkbVZ5YVdacFpXUWlPbVpoYkhObExDSnVZVzFsSWpvaVRXbDZkV3RwSUV0aGNtRnpZWGRoSWl3aWNISmxabVZ5Y21Wa1gzVnpaWEp1WVcxbElqb2liV2w2ZFd0cElpd2laMmwyWlc1ZmJtRnRaU0k2SWsxcGVuVnJhU0lzSW1aaGJXbHNlVjl1WVcxbElqb2lTMkZ5WVhOaGQyRWlMQ0psYldGcGJDSTZJbTFwZW5WcmFVQmlibXd1WjI5MkluMC5NZTRwNkl0dmx2T0VYRTIxM2pwSnJpa3FhZGNZb0ZsMnlMVlJzQTJvQTdmWDgteEtJYTR2ckZmamwwLXRwb2JodzIyRnBvVDZ2TWoxbXphLXBWWUxzNW1vM0w5Y0xKT2hVVnV2Tm9YSm5nZlRzLXk2TWxuTXVGV1NQemtidEhhOXJTUEVqZGFZQXBDQk52MG9CWEs2bmhIM0U5ZkNvTl9TQlUycWxaSWk2M1dWOUZXSjFrbHVGT2Iwc0xja2JfWGNGZzhUZ0dXOEdVUlRYTlg4bW1VM1dNLWJ5dnJuTkFyNmFjWW1ibXRaVzRhV0NwTk5FSHRZU29LSmgydHZuQjhHNnl5eWptWWJ5Q2ZhTmwwSnVZYU52VFEzTXhCX2FnLV9Pcy04VkwtTGFLdHBGYXBMNEVNWUJaXzFnZmNhSFdUSUV1VS0wSVdjTjlEa2xxcW1MN19jNlEBAQ=> (previous base64 data may contain sensitive data) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: host > example.com (http://example.com): Host created > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: host > example.com (http://example.com): Performing asynchronous DNS lookup > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: request [Req1: > GET > https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q]: > Submitted > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: host > example.com (http://example.com): DNS lookup successful; got 1 IPs > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer > 10.0.2.2:443 (http://10.0.2.2:443): Peer created > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue > https://example.com"443: Setting up connection to 10.0.2.2:443 ( > http://10.0.2.2:443) (SSL=example.com (http://example.com)) (1 requests > pending) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer > 10.0.2.2:443 (http://10.0.2.2:443): Linked queue https://example.com:443 > (1 queues linked) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue > https://example.com:443: Started new connection to 10.0.2.2:443 ( > http://10.0.2.2:443) (SSL=example.com (http://example.com)) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer > 10.0.2.2:443 (http://10.0.2.2:443): Creating 1 new connections to handle > requests (already 0 usable, connecting to 0, closing 0) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer > 10.0.2.2:443 (http://10.0.2.2:443): Making new connection 1 of 1 > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn > 10.0.2.2:443 (http://10.0.2.2:443) [0]: HTTPS connection created (1 > parallel connections exist) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn > 10.0.2.2:443 (http://10.0.2.2:443) [0]: Connected > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn > 10.0.2.2:443 (http://10.0.2.2:443) [0]: Starting SSL handshake > > Dec 5 14:32:22 mktst4 dovecot: auth: Received invalid SSL certificate: > unable to get issuer certificate: /C=US/ST=New Jersey/L=Jersey City/O=The > USERTRUST Network/CN=USERTrust RSA Certification Authority > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer > 10.0.2.2:443 (http://10.0.2.2:443): Failed to make connection > (connections=1, connecting=1) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue > https://example.com:443: Failed to set up connection to 10.0.2.2:443 ( > http://10.0.2.2:443) (SSL=example.com (http://example.com)): SSL > handshaking with 10.0.2.2:443 (http://10.0.2.2:443) failed: read(SSL > 10.0.2.2:443 (http://10.0.2.2:443)) failed: Received invalid SSL > certificate: unable to get issuer certificate: /C=US/ST=New Jersey/L=Jersey > City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority (1 > peers pending, 1 requests pending) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue > https://example.com:443: Failed to set up any connection; failing all > queued requests > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: peer > 10.0.2.2:443 (http://10.0.2.2:443): Unlinked queue https://example.com:443 > (0 queues linked) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: queue > https://example.com:443: Dropping request [Req1: GET > https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q > ] > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: host > example.com (http://example.com): Host is idle (timeout = 1799992 msecs) > > Dec 5 14:32:22 mktst4 dovecot: auth: Error: > oauth2(mizuki,10.0.2.1,<QPwA/fmY+tqCx5Tr>): oauth2 failed: SSL handshaking > with 10.0.2.2:443 (http://10.0.2.2:443) failed: read(SSL 10.0.2.2:443 ( > http://10.0.2.2:443)) failed: Received invalid SSL certificate: unable to > get issuer certificate: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST > Network/CN=USERTrust RSA Certification Authority > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: request [Req1: > GET > https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q]: > Destroy (requests left=1) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: request [Req1: > GET > https://example.com/auth/realms/mail/protocol/openid-connect/tokeneyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrdGxNSHVmbG54VTRiRGZKNndHdmxPMUV1YlVwakxFUVhHcnFMNTc3aHBRIn0.eyJqdGkiOiI4NWJlYWNmNC1jMmNlLTRmNDItYmQ4MS01NzViN2FjYWNlOTgiLCJleHAiOjE1NzU2MTAyMDgsIm5iZiI6MCwiaWF0IjoxNTc1NTc0MjA4LCJpc3MiOiJodHRwczovL2tleWNsb2FrMi5zZGNjLmJubC5nb3YvYXV0aC9yZWFsbXMvbWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI2NjVkNDU3My04YWE1LTRkODYtYmMzZi0yZTJjMjNiMzY2NDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkb3ZlY290IiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiOTM4NWE5NjAtMDNkZC00OGNlLWEyN2QtYTY3ZGY0NmQxZDg1IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJuYW1lIjoiTWl6dWtpIEthcmFzYXdhIiwicHJlZmVycmVkX3VzZXJuYW1lIjoibWl6dWtpIiwiZ2l2ZW5fbmFtZSI6Ik1penVraSIsImZhbWlseV9uYW1lIjoiS2FyYXNhd2EiLCJlbWFpbCI6Im1penVraUBibmwuZ292In0.Me4p6ItvlvOEXE213jpJrikqadcYoFl2yLVRsA2oA7fX8-xKIa4vrFfjl0-tpobhw22FpoT6vMj1mza-pVYLs5mo3L9cLJOhUVuvNoXJngfTs-y6MlnMuFWSPzkbtHa9rSPEjdaYApCBNv0oBXK6nhH3E9fCoN_SBU2qlZIi63WV9FWJ1kluFOb0sLckb_XcFg8TgGW8GURTXNX8mmU3WM-byvrnNAr6acYmbmtZW4aWCpNNEHtYSoKJh2tvnB8G6yyyjmYbyCfaNl0JuYaNvTQ3MxB_ag-_Os-8VL-LaKtpFapL4EMYBZ_1gfcaHWTIEuU-0IWcN9DklqqmL7_c6Q]: > Free (requests left=0) > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn > 10.0.2.2:443 (http://10.0.2.2:443) [0]: SSL handshaking with 10.0.2.2:443 > (http://10.0.2.2:443) failed: read(SSL 10.0.2.2:443 (http://10.0.2.2:443)) > failed: Received invalid SSL certificate: unable to get issuer certificate: > /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA > Certification Authority > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn > 10.0.2.2:443 (http://10.0.2.2:443) [0]: Connection close > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn > 10.0.2.2:443 (http://10.0.2.2:443) [0]: Connection disconnect > > Dec 5 14:32:22 mktst4 dovecot: auth: Debug: http-client: conn > 10.0.2.2:443 (http://10.0.2.2:443) [0]: Connection destroy > > ---------------------------------------------------- > > > > #dovecot -n > > ---------------------------------------------------- > > # 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf > > # OS: Linux 3.10.0-1062.4.3.el7.x86_64 x86_64 Red Hat Enterprise Linux > Server release 7.7 (Maipo) > > # Hostname: mktst4.sdcc.bnl.gov (http://mktst4.sdcc.bnl.gov) > > auth_debug = yes > > auth_debug_passwords = yes > > auth_mechanisms = oauthbearer xoauth2 > > auth_verbose = yes > > auth_verbose_passwords = yes > > first_valid_uid = 1000 > > mail_debug = yes > > mail_location = maildir:~/Maildir > > mbox_write_locks = fcntl > > namespace inbox { > > inbox = yes > > location > > mailbox Drafts { > > special_use = \Drafts > > } > > mailbox Junk { > > special_use = \Junk > > } > > mailbox Sent { > > special_use = \Sent > > } > > mailbox "Sent Messages" { > > special_use = \Sent > > } > > mailbox Trash { > > special_use = \Trash > > } > > prefix > > } > > passdb { > > args = /etc/dovecot/dovecot-oauth2.conf.ext > > driver = oauth2 > > mechanisms = oauthbearer xoauth2 > > } > > protocols = imap > > service auth { > > unix_listener /var/spool/postfix/private/auth { > > group = postfix > > mode = 0666 > > user = postfix > > } > > } > > ssl = required > > ssl_ca = </etc/pki/CA/certs/2.pem > > ssl_cert = </etc/pki/dovecot/certs/dovecot.pem > > ssl_cipher_list > ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS:!RSA > > ssl_client_ca_file = </etc/pki/CA/certs/2.pem > > ssl_key = # hidden, use -P to show it > > ssl_prefer_server_ciphers = yes > > ssl_require_crl = no > > userdb { > > args = uid=vmail gid=vmail home=/var/vmail/%u > > driver = static > > } > > ---------------------------------------------------- > > > > # cat /etc/dovecot/conf.d/auth-oauth2.conf.ext > > ---------------------------------------------------- > > passdb { > > driver = oauth2 > > mechanisms = oauthbearer xoauth2 > > args = /etc/dovecot/dovecot-oauth2.conf.ext > > } > > > > userdb { > > driver = static > > args = uid=vmail gid=vmail home=/var/vmail/%u > > } > > ---------------------------------------------------- > > > > I wonder if anyone has experienced this possibly know what's going on. > > Thanks! > > Mizuki >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191205/ac4ce4ed/attachment-0001.html>
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
Is the key/cert pair readable by dovecot user? auth process does not run as
root.
</div>
<div>
<br>
</div>
<div>
You can add
</div>
<div>
<br>
</div>
<div>
service auth {
</div>
<div>
extra_groups = ssl_cert
</div>
<div>
}
</div>
<div>
<br>
</div>
<div>
and chgrp the cert to ssl_cert to allow access to the cert.
</div>
<div>
<br>
</div>
<div>
Aki
</div>
<blockquote type="cite">
<div>
On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div dir="ltr">
<div>
I changed some of the tls options following the document, now config is
following:
</div>
<div>
<br>
</div>
<div>
<br>
</div>
<div>
tokeninfo_url =
<a
href="https://keycloak.com/auth/realms/mail/protocol/openid-connect/token">https://keycloak.com/auth/realms/mail/protocol/openid-connect/token</a>
<br>introspection_url =
<a
href="https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect">https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect</a>
<br>introspection_mode = post
<br>debug = yes
<br>rawlog_dir = /tmp/oauth2
<br>#force_introspection = yes
<br>username_attribute = username
<br>#active_attribute = active
<br>#active_value = true
<br>tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt
<br>tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
<br>tls_key_file = /etc/pki/dovecot/private/dovecot.pem
<br>
</div>
<div>
---------------
</div>
<div>
<br>
</div>
<div>
The debug log is showing now slightly different msg ex:
</div>
<div>
Dec 5 21:09:59 mktst4 dovecot: auth: Error:
oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't
initialize SSL context: Can't load SSL certificate: There is no valid PEM
certificate.
</div>
<div>
<br>
</div>
<div>
Still not able to connect to the keyclaok server. :(
<br>
</div>
<div>
<br>
</div>
<div>
PS: Dovecot & Keycloak severs are both using the same legit cert/key
pair with CA file configured.
</div>
<div>
<br>
</div>
<div>
Thanks!
</div>
<div>
Mizuki
<br>
</div>
<div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div class="gmail_attr" dir="ltr">
On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi <
<a
href="mailto:aki.tuomi@open-xchange.com">aki.tuomi@open-xchange.com</a>>
wrote:
<br>
</div>
<blockquote>
Before declaring it not ready for prime time, did you try setting
<br>
<br>tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
<br>
<br>In the oauth2 configuration file as documented in
<a target="_blank"
href="https://doc.dovecot.org/configuration_manual/authentication/oauth2"
rel="noopener">https://doc.dovecot.org/configuration_manual/authentication/oauth2</a>
?
<br>
<br>Aki
<br>
<br>> On 05/12/2019 21:58 mizuki via dovecot <
<a target="_blank" href="mailto:dovecot@dovecot.org"
rel="noopener">dovecot@dovecot.org</a>> wrote:
<br>>
<br>>
<br>> Hi all,
<br>>
<br>> We'd like to enable OAuth with Keycloak in Dovecot,
after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online
document, I can confirm Dovecot is ready for OAuth using openssl command,
however when the auth request comes in, it failed in establishing a SSL
connection with Keycloak server on port 443, shown as following in debug logs. I
can confirming using commands 'openssl s_client -connect
<keycloak_server>:443' or 'curl -v
https://<keycloak_server/' all returns normal and no errors. Altering
some of the SSL options in dovecot such as 'ssl_ca =
</etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file =
</etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are
NOT self-signed but signed the legit authorities. So I'm not sure why
dovecot could not establish the connections.
<br>>
<br>
</blockquote>
</div>
</blockquote>
</body>
</html>
Hi! It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this. Aki> On 06/12/2019 16:42 mizuki <mizuki0621 at gmail.com> wrote: > > > Hi, > > For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( > Mizuki > > > On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > > > Is the key/cert pair readable by dovecot user? auth process does not run as root. > > > > > > > > > > You can add > > > > > > > > > > service auth { > > > > extra_groups = ssl_cert > > > > } > > > > > > > > > > and chgrp the cert to ssl_cert to allow access to the cert. > > > > > > > > > > Aki > > > > > On 06/12/2019 04:16 mizuki via dovecot <dovecot at dovecot.org> wrote: > > > > > > > > > > > > > > > > > > > > > > > > I changed some of the tls options following the document, now config is following: > > > > > > > > > > > > > > > > > > > > > > > > tokeninfo_url = https://keycloak.com/auth/realms/mail/protocol/openid-connect/token > > > introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect > > > introspection_mode = post > > > debug = yes > > > rawlog_dir = /tmp/oauth2 > > > #force_introspection = yes > > > username_attribute = username > > > #active_attribute = active > > > #active_value = true > > > tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt > > > tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > > > tls_key_file = /etc/pki/dovecot/private/dovecot.pem > > > > > > > > > --------------- > > > > > > > > > > > > > > > The debug log is showing now slightly different msg ex: > > > > > > Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate. > > > > > > > > > > > > > > > Still not able to connect to the keyclaok server. :( > > > > > > > > > > > > > > > > > > PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured. > > > > > > > > > > > > > > > Thanks! > > > > > > Mizuki > > > > > > > > > > > > > > > > > > > > > On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi at open-xchange.com> wrote: > > > > > > > > > > Before declaring it not ready for prime time, did you try setting > > > > > > > > tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > > > > > > > > In the oauth2 configuration file as documented in https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? > > > > > > > > Aki > > > > > > > > > On 05/12/2019 21:58 mizuki via dovecot < dovecot at dovecot.org> wrote: > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish?the connections. > > > > > > > > >
Great, thank you so much Aki! Please let me know when the fix is available and I will help test in our environment. We'd really like to enable this feature. Thanks again. Mizuki On Fri, Dec 6, 2019 at 2:54 PM Aki Tuomi <aki.tuomi at open-xchange.com> wrote:> Hi! > > It seems there is a bug in the oauth2 driver, it loads the cert files > wrong way. I'll make an internal bug report of this. > > Aki > > > On 06/12/2019 16:42 mizuki <mizuki0621 at gmail.com> wrote: > > > > > > Hi, > > > > For troubleshooting purposes, I change the read/write permissions on the > certs and confirmed 'dovecot' can read them w/o problem, but still seeing > the same errors. :( > > Mizuki > > > > > > On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi at open-xchange.com> > wrote: > > > > > > Is the key/cert pair readable by dovecot user? auth process does not > run as root. > > > > > > > > > > > > > > > You can add > > > > > > > > > > > > > > > service auth { > > > > > > extra_groups = ssl_cert > > > > > > } > > > > > > > > > > > > > > > and chgrp the cert to ssl_cert to allow access to the cert. > > > > > > > > > > > > > > > Aki > > > > > > > On 06/12/2019 04:16 mizuki via dovecot <dovecot at dovecot.org> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I changed some of the tls options following the document, now config > is following: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > tokeninfo_url > https://keycloak.com/auth/realms/mail/protocol/openid-connect/token > > > > introspection_url > https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect > > > > introspection_mode = post > > > > debug = yes > > > > rawlog_dir = /tmp/oauth2 > > > > #force_introspection = yes > > > > username_attribute = username > > > > #active_attribute = active > > > > #active_value = true > > > > tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt > > > > tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > > > > tls_key_file = /etc/pki/dovecot/private/dovecot.pem > > > > > > > > > > > > --------------- > > > > > > > > > > > > > > > > > > > > The debug log is showing now slightly different msg ex: > > > > > > > > Dec 5 21:09:59 mktst4 dovecot: auth: Error: > oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't > initialize SSL context: Can't load SSL certificate: There is no valid PEM > certificate. > > > > > > > > > > > > > > > > > > > > Still not able to connect to the keyclaok server. :( > > > > > > > > > > > > > > > > > > > > > > > > PS: Dovecot & Keycloak severs are both using the same legit cert/key > pair with CA file configured. > > > > > > > > > > > > > > > > > > > > Thanks! > > > > > > > > Mizuki > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < > aki.tuomi at open-xchange.com> wrote: > > > > > > > > > > > > > Before declaring it not ready for prime time, did you try setting > > > > > > > > > > tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > > > > > > > > > > In the oauth2 configuration file as documented in > https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? > > > > > > > > > > Aki > > > > > > > > > > > On 05/12/2019 21:58 mizuki via dovecot < dovecot at dovecot.org> > wrote: > > > > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > We'd like to enable OAuth with Keycloak in Dovecot, after > enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can > confirm Dovecot is ready for OAuth using openssl command, however when the > auth request comes in, it failed in establishing a SSL connection with > Keycloak server on port 443, shown as following in debug logs. I can > confirming using commands 'openssl s_client -connect <keycloak_server>:443' > or 'curl -v https://<keycloak_server/' all returns normal and no errors. > Altering some of the SSL options in dovecot such as 'ssl_ca > </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file > </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are > NOT self-signed but signed the legit authorities. So I'm not sure why > dovecot could not establish the connections. > > > > > > > > > > > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191206/7888f6cc/attachment-0001.html>
On 06/12/2019 20:54, Aki Tuomi via dovecot wrote:> Hi! > > It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this.Tracking as DOP-1590. Regards, Stephan.>> On 06/12/2019 16:42 mizuki <mizuki0621 at gmail.com> wrote: >> >> >> Hi, >> >> For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( >> Mizuki >> >> >> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi at open-xchange.com> wrote: >>> >>> Is the key/cert pair readable by dovecot user? auth process does not run as root. >>> >>> >>> >>> >>> You can add >>> >>> >>> >>> >>> service auth { >>> >>> extra_groups = ssl_cert >>> >>> } >>> >>> >>> >>> >>> and chgrp the cert to ssl_cert to allow access to the cert. >>> >>> >>> >>> >>> Aki >>> >>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot at dovecot.org> wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> I changed some of the tls options following the document, now config is following: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> tokeninfo_url = https://keycloak.com/auth/realms/mail/protocol/openid-connect/token >>>> introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect >>>> introspection_mode = post >>>> debug = yes >>>> rawlog_dir = /tmp/oauth2 >>>> #force_introspection = yes >>>> username_attribute = username >>>> #active_attribute = active >>>> #active_value = true >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem >>>> >>>> >>>> --------------- >>>> >>>> >>>> >>>> >>>> The debug log is showing now slightly different msg ex: >>>> >>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate. >>>> >>>> >>>> >>>> >>>> Still not able to connect to the keyclaok server. :( >>>> >>>> >>>> >>>> >>>> >>>> PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured. >>>> >>>> >>>> >>>> >>>> Thanks! >>>> >>>> Mizuki >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi at open-xchange.com> wrote: >>>> >>>> >>>>> Before declaring it not ready for prime time, did you try setting >>>>> >>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt >>>>> >>>>> In the oauth2 configuration file as documented in https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? >>>>> >>>>> Aki >>>>> >>>>>> On 05/12/2019 21:58 mizuki via dovecot < dovecot at dovecot.org> wrote: >>>>>> >>>>>> >>>>>> Hi all, >>>>>> >>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish?the connections. >>>>>>