> On 05/07/2020 19:43 Aki Tuomi <aki.tuomi at open-xchange.com> wrote: > > > > On 04/07/2020 21:12 la.jolie at paquerette <la.jolie at paquerette.org> wrote: > > > > > > Hello, > > > > I'm trying to configure roundcube / dovecot to work with keycloak. > > I activated xoauth2 oauthbearer in dovecot. > > But a problem occurs when dovecot tries to contact the keycloak server > > (logs are below). > > > > My problem looks like this one: > > https://dovecot.org/pipermail/dovecot/2019-December/117768.html > > The response to this problem was about a bug in oauth driver > > (https://dovecot.org/pipermail/dovecot/2019-December/117787.html). > > > > Mizuki was using Dovecot v2.2.36 (1f10bfa63) > > I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4) > > > > I'm wondering if this bug is still present in my version or if I have > > another problem. > > > > Both my servers (dovecot and keycloak) are using let's encrypt certificates. > > I tried to configure Keycloak with nginx proxy and without it (access > > via port 8443) (in case the problem came from the ssl config on the > > keycloak server), but still the same error. > > > > If the bug is fixed, then could someone tell me what do I have to put in > > the option tls_ca_cert_file? > > > > I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I > > got from let's encrypt website (https://letsencrypt.org/certificates/ / > > tried ISRG Root X1 (self-signed) & Let?s Encrypt Authority X3 (IdenTrust > > cross-signed) & Let?s Encrypt Authority X3 (Signed by ISRG Root X1)) > > But I always have the same error. > > > > Thanks, > > Kenny > > > > Hi! > > Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org > > AkiAlso can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is. Aki
On 5/07/20 18:46, Aki Tuomi wrote:>> On 05/07/2020 19:43 Aki Tuomi <aki.tuomi at open-xchange.com> wrote: >> >> >>> On 04/07/2020 21:12 la.jolie at paquerette <la.jolie at paquerette.org> wrote: >>> >>> >>> Hello, >>> >>> I'm trying to configure roundcube / dovecot to work with keycloak. >>> I activated xoauth2 oauthbearer in dovecot. >>> But a problem occurs when dovecot tries to contact the keycloak server >>> (logs are below). >>> >>> My problem looks like this one: >>> https://dovecot.org/pipermail/dovecot/2019-December/117768.html >>> The response to this problem was about a bug in oauth driver >>> (https://dovecot.org/pipermail/dovecot/2019-December/117787.html). >>> >>> Mizuki was using Dovecot v2.2.36 (1f10bfa63) >>> I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4) >>> >>> I'm wondering if this bug is still present in my version or if I have >>> another problem. >>> >>> Both my servers (dovecot and keycloak) are using let's encrypt certificates. >>> I tried to configure Keycloak with nginx proxy and without it (access >>> via port 8443) (in case the problem came from the ssl config on the >>> keycloak server), but still the same error. >>> >>> If the bug is fixed, then could someone tell me what do I have to put in >>> the option tls_ca_cert_file? >>> >>> I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I >>> got from let's encrypt website (https://letsencrypt.org/certificates/ / >>> tried ISRG Root X1 (self-signed) & Let?s Encrypt Authority X3 (IdenTrust >>> cross-signed) & Let?s Encrypt Authority X3 (Signed by ISRG Root X1)) >>> But I always have the same error. >>> >>> Thanks, >>> Kenny >>> >> Hi! >> >> Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org >> >> Aki > Also can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is. > > AkiHello Aki, First, big thanks for your time and help. Much appreciated. I tried v2.3.10.1 (from debian testing) but same error. Now about the root certificate, I'm not sure what to try other than the 3? I tried. When looking on the web for Let's encrypt Root certificate, all seems to point to the one I tried: https://letsencrypt.org/certificates/ Isn't the ISRG Root X1 Certificate the root certificate for Let's Encrypt? Here you can find the answer to the openssl command "openssl s_client -connect my.keycloak.host:443 -showcerts": ------- CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = my.keycloak.host verify return:1 --- Certificate chain ?0 s:CN = my.keycloak.host ?? i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFUjCCBDqgAwIBAgISAx2F9yjviDB2PVmEPxMp0YaWMA0GCSqGSIb3DQEBCwUA ...... (more lines) i8cgf5H57alS0qMUZqirusmCFeksfg=-----END CERTIFICATE----- ?1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 ?? i:O = Digital Signature Trust Co., CN = DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ...... (more lines) KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg=-----END CERTIFICATE----- --- Server certificate subject=CN = my.keycloak.host issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3176 bytes and written 390 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: ??? Protocol? : TLSv1.2 ??? Cipher??? : ECDHE-RSA-CHACHA20-POLY1305 ??? Session-ID: EB85C94956267BF141...... ??? Session-ID-ctx: ??? Master-Key: 84AA20A5DD8FB18ABF1....... ??? PSK identity: None ??? PSK identity hint: None ??? SRP username: None ??? TLS session ticket lifetime hint: 86400 (seconds) ??? TLS session ticket: ??? 0000 - 7b e4 1a e2 e3 f7 b3 94-15 5f 0e 7a 47 9b 8c fb?? {........_.zG... ??? .... (9 more lines like this) ??? 00a0 - ee 75 9a f6 1b 74 8c ad-c0 4f f7 e0 fd 15 54 04?? .u...t...O....T. ??? Start Time: 1594040666 ??? Timeout?? : 7200 (sec) ??? Verify return code: 0 (ok) ??? Extended master secret: yes ------- Thanks, Kenny
On 6/07/20 15:23, la.jolie at paquerette wrote:> On 5/07/20 18:46, Aki Tuomi wrote: >>> On 05/07/2020 19:43 Aki Tuomi <aki.tuomi at open-xchange.com> wrote: >>> >>> >>>> On 04/07/2020 21:12 la.jolie at paquerette <la.jolie at paquerette.org> wrote: >>>> >>>> >>>> Hello, >>>> >>>> I'm trying to configure roundcube / dovecot to work with keycloak. >>>> I activated xoauth2 oauthbearer in dovecot. >>>> But a problem occurs when dovecot tries to contact the keycloak server >>>> (logs are below). >>>> >>>> My problem looks like this one: >>>> https://dovecot.org/pipermail/dovecot/2019-December/117768.html >>>> The response to this problem was about a bug in oauth driver >>>> (https://dovecot.org/pipermail/dovecot/2019-December/117787.html). >>>> >>>> Mizuki was using Dovecot v2.2.36 (1f10bfa63) >>>> I have Dovecot Dovecot v2.3.4.1 (f79e8e7e4) >>>> >>>> I'm wondering if this bug is still present in my version or if I have >>>> another problem. >>>> >>>> Both my servers (dovecot and keycloak) are using let's encrypt certificates. >>>> I tried to configure Keycloak with nginx proxy and without it (access >>>> via port 8443) (in case the problem came from the ssl config on the >>>> keycloak server), but still the same error. >>>> >>>> If the bug is fixed, then could someone tell me what do I have to put in >>>> the option tls_ca_cert_file? >>>> >>>> I tried with /etc/letsencrypt/live/my.host/chain.pem and also certs I >>>> got from let's encrypt website (https://letsencrypt.org/certificates/ / >>>> tried ISRG Root X1 (self-signed) & Let?s Encrypt Authority X3 (IdenTrust >>>> cross-signed) & Let?s Encrypt Authority X3 (Signed by ISRG Root X1)) >>>> But I always have the same error. >>>> >>>> Thanks, >>>> Kenny >>>> >>> Hi! >>> >>> Can you try with 2.3.10.1? You can find packages at https://repo.dovecot.org >>> >>> Aki >> Also can you verify with 'openssl s_client' that you are sending full certificate path in your letsencrypt certificate? tls_ca_cert_file should point to whatever your certificate *root* certificate is. >> >> Aki > Hello Aki, > > First, big thanks for your time and help. Much appreciated. > > I tried v2.3.10.1 (from debian testing) but same error. > > Now about the root certificate, I'm not sure what to try other than the > 3? I tried. > > When looking on the web for Let's encrypt Root certificate, all seems to > point to the one I tried: > https://letsencrypt.org/certificates/ > > Isn't the ISRG Root X1 Certificate the root certificate for Let's Encrypt? > > Here you can find the answer to the openssl command "openssl s_client > -connect my.keycloak.host:443 -showcerts": > ------- > CONNECTED(00000003) > depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > verify return:1 > depth=0 CN = my.keycloak.host > verify return:1 > --- > Certificate chain > ?0 s:CN = my.keycloak.host > ?? i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > -----BEGIN CERTIFICATE----- > MIIFUjCCBDqgAwIBAgISAx2F9yjviDB2PVmEPxMp0YaWMA0GCSqGSIb3DQEBCwUA > ...... (more lines) > i8cgf5H57alS0qMUZqirusmCFeksfg=> -----END CERTIFICATE----- > ?1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > ?? i:O = Digital Signature Trust Co., CN = DST Root CA X3 > -----BEGIN CERTIFICATE----- > MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ > ...... (more lines) > KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg=> -----END CERTIFICATE----- > --- > Server certificate > subject=CN = my.keycloak.host > > issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Peer signature type: RSA-PSS > Server Temp Key: X25519, 253 bits > --- > SSL handshake has read 3176 bytes and written 390 bytes > Verification: OK > --- > New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > ??? Protocol? : TLSv1.2 > ??? Cipher??? : ECDHE-RSA-CHACHA20-POLY1305 > ??? Session-ID: EB85C94956267BF141...... > ??? Session-ID-ctx: > ??? Master-Key: 84AA20A5DD8FB18ABF1....... > ??? PSK identity: None > ??? PSK identity hint: None > ??? SRP username: None > ??? TLS session ticket lifetime hint: 86400 (seconds) > ??? TLS session ticket: > ??? 0000 - 7b e4 1a e2 e3 f7 b3 94-15 5f 0e 7a 47 9b 8c fb?? > {........_.zG... > ??? .... (9 more lines like this) > ??? 00a0 - ee 75 9a f6 1b 74 8c ad-c0 4f f7 e0 fd 15 54 04?? > .u...t...O....T. > > ??? Start Time: 1594040666 > ??? Timeout?? : 7200 (sec) > ??? Verify return code: 0 (ok) > ??? Extended master secret: yes > ------- > > Thanks, > Kenny >I finally found that Root certificate. But frankly, what a nightmare to find it. If someone else is in the same predicament, here is where you can find it: - Go here: https://letsencrypt.org/certificates/ - Click on the link Download ?TrustID X3 Root? on identrust.com (https://www.identrust.com/support/downloads) - Go all the way down to the section TrustID X3 and click on the last link Base64 Root Certificate. - Copy the cert into a file. I went back to v2.3.4.1 (Debian Buster version) and I can confirm it works too. So no problem with Dovecot. Thanks again for your help Aki. Kenny