Laura Smith
2022-Jan-24 20:25 UTC
Received invalid SSL certificate: unable to get certificate CRL
I'm having a frustrating problem trying to use "doveadm sync" to pull mails off a server for migration purposes. # 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.17.1 (a1a0b892) # OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2 I have tried both explicit "ssl_client_ca_dir = /etc/ssl/certs" and commenting it out (i.e. relying on OpenSSL default per the docs) I always get the same: Info: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Security Research Group/CN=ISRG Root X1 (check ssl_client_ca_* se ttings?) Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Sec urity Research Group/CN=ISRG Root X1 (check ssl_client_ca_* settings?) - disconnecting openssl s_client -starttls imap -servername $name -connect $name:143 is happy though: --- Certificate chain 0 s:CN = <REDACTED> i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 4954 bytes and written 412 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
Zakaria
2022-Jan-24 21:29 UTC
Received invalid SSL certificate: unable to get certificate CRL
An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20220124/9f5c33b1/attachment.htm>
Markus Winkler
2022-Jan-25 08:16 UTC
Received invalid SSL certificate: unable to get certificate CRL
Hi Laura, On Mon, 24 Jan 2022 at 08:25:12PM +0000, Laura Smith wrote:> I'm having a frustrating problem trying to use "doveadm sync" to pull > mails off a server for migration purposes. > > # 2.3.17.1 (476cd46418): /etc/dovecot/dovecot.conf > # Pigeonhole version 0.5.17.1 (a1a0b892) > # OS: Linux 5.10.0-11-amd64 x86_64 Debian 11.2 > > I have tried both explicit "ssl_client_ca_dir = /etc/ssl/certs" and commenting it out (i.e. relying on OpenSSL default per the > docs) > > I always get the same: > Info: Received invalid SSL certificate: unable to get issuer certificate: /C=US/O=Internet Security Research Group/CN=ISRG Root > X1 (check ssl_client_ca_* se > ttings?)just an idea, but maybe that's the problem?: https://doc.dovecot.org/configuration_manual/authentication/proxies/ "Note ssl_client_ca_dir or ssl_client_ca_file aren?t currently used for verifying the remote certificate, although ideally they will be in a future Dovecot version. For now you need to add the trusted remote certificates to ssl_ca." Regards, Markus