Laura Smith
2022-Jan-25 10:48 UTC
Received invalid SSL certificate: unable to get certificate CRL
> just an idea, but maybe that's the problem?: > > https://doc.dovecot.org/configuration_manual/authentication/proxies/ > > "Note > > ssl_client_ca_dir or ssl_client_ca_file aren?t currently used for verifying the > > remote certificate, although ideally they will be in a future Dovecot version. For > > now you need to add the trusted remote certificates to ssl_ca." >Hi Markus Thanks for your suggestion, I have a couple of questions about it though. First, my understanding from the docs was that ssl_client_ca_* were override parameters and that in the absence of the parameters, Dovecot would default to using OpenSSL defaults ? (And building on that, as per my manual tests, you can see OpenSSL returns an "OK" on the validation). Second, I'm dealing with standard Let's Encrypt certs here, no private PKI certs here. Laura
Markus Winkler
2022-Jan-25 20:19 UTC
Received invalid SSL certificate: unable to get certificate CRL
Hi Laura, On 25.01.22 11:48, Laura Smith wrote:> Thanks for your suggestion, I have a couple of questions about it though. > First, my understanding from the docs was that ssl_client_ca_* wereoverride parameters and that in the absence of the parameters, Dovecot would default to using OpenSSL defaults ? (And building on that, as per my manual tests, you can see OpenSSL returns an "OK" on the validation). To be honest: I dont have a setup like yours to test it. I just remembered a mail from Aki in which he mentioned this part of the documentation and so I thought that ssl_ca = </etc/ssl/certs/ca-certificates.crt is worth a try.> Second, I'm dealing with standard Let's Encrypt certs here, no private PKI certs here.Yes, I know. And it seems, that all is fine with them. Regards, Markus