Arjen de Korte
2022-Aug-08 09:45 UTC
how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
Citeren jean-christophe manciot <actionmystique at gmail.com>:> Hi everyone, > > I'm trying to setup dovecot to accept only client certificates created > with a private CA: > auth_ssl_require_client_cert = yes > ssl_verify_client_cert = yes > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pemThis is wrong, you should enter your private CA here. If 'ssl_verify_client_cert' is not set to 'yes', this field should generally be empty / not configured.> At the same time, dovecot is setup with an SSL certificate created by > a public CA (let's encrypt): > ssl = required > ssl_cert = </etc/ssl/fullchain.pem > ssl_key = </etc/ssl/key.pem > > When I try to connect to the server with a client (evolution), I get a > connection error: > "Client did not present valid SSL certificate" except that it is valid. > > As you probably already know, let's encrypt does not create client > certificates. > It seems that using a different CA for client certificates and for the > server certificate is unsupported. > > Am I missing something?
jean-christophe manciot
2022-Aug-08 16:42 UTC
how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
@build+dovecot at de-korte.org ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem <ssl_ca> contains actually the private CA certificate bundled with the private CA CRL. ssl_cert = </etc/ssl/fullchain.pem <ssl_cert> contains the public server certificate bundled with Let's encrypt CA X3 cross-signed certificate. Maybe the latter should rather contain the root and intermediate certificates. On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte <build+dovecot at de-korte.org> wrote:> > Citeren jean-christophe manciot <actionmystique at gmail.com>: > > > Hi everyone, > > > > I'm trying to setup dovecot to accept only client certificates created > > with a private CA: > > auth_ssl_require_client_cert = yes > > ssl_verify_client_cert = yes > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem > > This is wrong, you should enter your private CA here. If > 'ssl_verify_client_cert' is not set to 'yes', this field should > generally be empty / not configured. > > > At the same time, dovecot is setup with an SSL certificate created by > > a public CA (let's encrypt): > > ssl = required > > ssl_cert = </etc/ssl/fullchain.pem > > ssl_key = </etc/ssl/key.pem > > > > When I try to connect to the server with a client (evolution), I get a > > connection error: > > "Client did not present valid SSL certificate" except that it is valid. > > > > As you probably already know, let's encrypt does not create client > > certificates. > > It seems that using a different CA for client certificates and for the > > server certificate is unsupported. > > > > Am I missing something? > > >-- Jean-Christophe