On 06/12/2019 20:54, Aki Tuomi via dovecot wrote:> Hi! > > It seems there is a bug in the oauth2 driver, it loads the cert files wrong way. I'll make an internal bug report of this.Tracking as DOP-1590. Regards, Stephan.>> On 06/12/2019 16:42 mizuki <mizuki0621 at gmail.com> wrote: >> >> >> Hi, >> >> For troubleshooting purposes, I change the read/write permissions on the certs and confirmed 'dovecot' can read them w/o problem, but still seeing the same errors. :( >> Mizuki >> >> >> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi at open-xchange.com> wrote: >>> >>> Is the key/cert pair readable by dovecot user? auth process does not run as root. >>> >>> >>> >>> >>> You can add >>> >>> >>> >>> >>> service auth { >>> >>> extra_groups = ssl_cert >>> >>> } >>> >>> >>> >>> >>> and chgrp the cert to ssl_cert to allow access to the cert. >>> >>> >>> >>> >>> Aki >>> >>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot at dovecot.org> wrote: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> I changed some of the tls options following the document, now config is following: >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> tokeninfo_url = https://keycloak.com/auth/realms/mail/protocol/openid-connect/token >>>> introspection_url = https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect >>>> introspection_mode = post >>>> debug = yes >>>> rawlog_dir = /tmp/oauth2 >>>> #force_introspection = yes >>>> username_attribute = username >>>> #active_attribute = active >>>> #active_value = true >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem >>>> >>>> >>>> --------------- >>>> >>>> >>>> >>>> >>>> The debug log is showing now slightly different msg ex: >>>> >>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error: oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't initialize SSL context: Can't load SSL certificate: There is no valid PEM certificate. >>>> >>>> >>>> >>>> >>>> Still not able to connect to the keyclaok server. :( >>>> >>>> >>>> >>>> >>>> >>>> PS: Dovecot & Keycloak severs are both using the same legit cert/key pair with CA file configured. >>>> >>>> >>>> >>>> >>>> Thanks! >>>> >>>> Mizuki >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi at open-xchange.com> wrote: >>>> >>>> >>>>> Before declaring it not ready for prime time, did you try setting >>>>> >>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt >>>>> >>>>> In the oauth2 configuration file as documented in https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? >>>>> >>>>> Aki >>>>> >>>>>> On 05/12/2019 21:58 mizuki via dovecot < dovecot at dovecot.org> wrote: >>>>>> >>>>>> >>>>>> Hi all, >>>>>> >>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm Dovecot is ready for OAuth using openssl command, however when the auth request comes in, it failed in establishing a SSL connection with Keycloak server on port 443, shown as following in debug logs. I can confirming using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl -v https://<keycloak_server/' all returns normal and no errors. Altering some of the SSL options in dovecot such as 'ssl_ca = </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are NOT self-signed but signed the legit authorities. So I'm not sure why dovecot could not establish?the connections. >>>>>>
Thank you Stephan, I'm wondering if I can read the track of the status of bug reports? Could you please advice? Thanks. Mizuki On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch <stephan at rename-it.nl> wrote:> > > On 06/12/2019 20:54, Aki Tuomi via dovecot wrote: > > Hi! > > > > It seems there is a bug in the oauth2 driver, it loads the cert files > wrong way. I'll make an internal bug report of this. > > Tracking as DOP-1590. > > Regards, > > Stephan. > > > >> On 06/12/2019 16:42 mizuki <mizuki0621 at gmail.com> wrote: > >> > >> > >> Hi, > >> > >> For troubleshooting purposes, I change the read/write permissions on > the certs and confirmed 'dovecot' can read them w/o problem, but still > seeing the same errors. :( > >> Mizuki > >> > >> > >> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tuomi at open-xchange.com> > wrote: > >>> > >>> Is the key/cert pair readable by dovecot user? auth process does not > run as root. > >>> > >>> > >>> > >>> > >>> You can add > >>> > >>> > >>> > >>> > >>> service auth { > >>> > >>> extra_groups = ssl_cert > >>> > >>> } > >>> > >>> > >>> > >>> > >>> and chgrp the cert to ssl_cert to allow access to the cert. > >>> > >>> > >>> > >>> > >>> Aki > >>> > >>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot at dovecot.org> wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> I changed some of the tls options following the document, now config > is following: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> tokeninfo_url > https://keycloak.com/auth/realms/mail/protocol/openid-connect/token > >>>> introspection_url > https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect > >>>> introspection_mode = post > >>>> debug = yes > >>>> rawlog_dir = /tmp/oauth2 > >>>> #force_introspection = yes > >>>> username_attribute = username > >>>> #active_attribute = active > >>>> #active_value = true > >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt > >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem > >>>> > >>>> > >>>> --------------- > >>>> > >>>> > >>>> > >>>> > >>>> The debug log is showing now slightly different msg ex: > >>>> > >>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error: > oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't > initialize SSL context: Can't load SSL certificate: There is no valid PEM > certificate. > >>>> > >>>> > >>>> > >>>> > >>>> Still not able to connect to the keyclaok server. :( > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> PS: Dovecot & Keycloak severs are both using the same legit cert/key > pair with CA file configured. > >>>> > >>>> > >>>> > >>>> > >>>> Thanks! > >>>> > >>>> Mizuki > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tuomi at open-xchange.com> > wrote: > >>>> > >>>> > >>>>> Before declaring it not ready for prime time, did you try setting > >>>>> > >>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > >>>>> > >>>>> In the oauth2 configuration file as documented in > https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? > >>>>> > >>>>> Aki > >>>>> > >>>>>> On 05/12/2019 21:58 mizuki via dovecot < dovecot at dovecot.org> > wrote: > >>>>>> > >>>>>> > >>>>>> Hi all, > >>>>>> > >>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after enabling > 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm > Dovecot is ready for OAuth using openssl command, however when the auth > request comes in, it failed in establishing a SSL connection with Keycloak > server on port 443, shown as following in debug logs. I can confirming > using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl > -v https://<keycloak_server/' all returns normal and no errors. Altering > some of the SSL options in dovecot such as 'ssl_ca > </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file > </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are > NOT self-signed but signed the legit authorities. So I'm not sure why > dovecot could not establish the connections. > >>>>>> > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20191210/e48966f2/attachment.html>
Op 10-12-2019 om 16:44 schreef mizuki:> Thank you Stephan, > > I'm wondering if I can read the track of the status of bug reports? > Could you please advice?No, this is for our own internal reference.> Thanks. > Mizuki > > On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch <stephan at rename-it.nl > <mailto:stephan at rename-it.nl>> wrote: > > > > On 06/12/2019 20:54, Aki Tuomi via dovecot wrote: > > Hi! > > > > It seems there is a bug in the oauth2 driver, it loads the cert > files wrong way. I'll make an internal bug report of this. > > Tracking as DOP-1590. > > Regards, > > Stephan. > > > >> On 06/12/2019 16:42 mizuki <mizuki0621 at gmail.com > <mailto:mizuki0621 at gmail.com>> wrote: > >> > >> > >> Hi, > >> > >> For troubleshooting purposes, I change the read/write > permissions on the certs and confirmed 'dovecot' can read them w/o > problem, but still seeing the same errors. :( > >> Mizuki > >> > >> > >> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi > <aki.tuomi at open-xchange.com <mailto:aki.tuomi at open-xchange.com>> > wrote: > >>> > >>> Is the key/cert pair readable by dovecot user? auth process > does not run as root. > >>> > >>> > >>> > >>> > >>> You can add > >>> > >>> > >>> > >>> > >>> service auth { > >>> > >>> extra_groups = ssl_cert > >>> > >>> } > >>> > >>> > >>> > >>> > >>> and chgrp the cert to ssl_cert to allow access to the cert. > >>> > >>> > >>> > >>> > >>> Aki > >>> > >>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot at dovecot.org > <mailto:dovecot at dovecot.org>> wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> I changed some of the tls options following the document, now > config is following: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> tokeninfo_url > https://keycloak.com/auth/realms/mail/protocol/openid-connect/token > >>>> introspection_url > https://dovecot:7598e21b-ec34-481f-80d0-059bddae0923 at keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect > >>>> introspection_mode = post > >>>> debug = yes > >>>> rawlog_dir = /tmp/oauth2 > >>>> #force_introspection = yes > >>>> username_attribute = username > >>>> #active_attribute = active > >>>> #active_value = true > >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt > >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem > >>>> > >>>> > >>>> --------------- > >>>> > >>>> > >>>> > >>>> > >>>> The debug log is showing now slightly different msg ex: > >>>> > >>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error: > oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: > Couldn't initialize SSL context: Can't load SSL certificate: There > is no valid PEM certificate. > >>>> > >>>> > >>>> > >>>> > >>>> Still not able to connect to the keyclaok server. :( > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> PS: Dovecot & Keycloak severs are both using the same legit > cert/key pair with CA file configured. > >>>> > >>>> > >>>> > >>>> > >>>> Thanks! > >>>> > >>>> Mizuki > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < > aki.tuomi at open-xchange.com <mailto:aki.tuomi at open-xchange.com>> wrote: > >>>> > >>>> > >>>>> Before declaring it not ready for prime time, did you try > setting > >>>>> > >>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > >>>>> > >>>>> In the oauth2 configuration file as documented in > https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? > >>>>> > >>>>> Aki > >>>>> > >>>>>> On 05/12/2019 21:58 mizuki via dovecot < > dovecot at dovecot.org <mailto:dovecot at dovecot.org>> wrote: > >>>>>> > >>>>>> > >>>>>> Hi all, > >>>>>> > >>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after > enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online > document, I can confirm Dovecot is ready for OAuth using openssl > command, however when the auth request comes in, it failed in > establishing a SSL connection with Keycloak server on port 443, > shown as following in debug logs. I can confirming using commands > 'openssl s_client -connect <keycloak_server>:443' or 'curl -v > https://<keycloak_server/' all returns normal and no errors. > Altering some of the SSL options in dovecot such as 'ssl_ca > </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file > </etc/pki/CA/certs/root_ca.pem' does not help either. The > certificate are NOT self-signed but signed the legit authorities. > So I'm not sure why dovecot could not establish?the connections. > >>>>>> >