jean-christophe manciot
2022-Aug-08 16:42 UTC
how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
@build+dovecot at de-korte.org ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem <ssl_ca> contains actually the private CA certificate bundled with the private CA CRL. ssl_cert = </etc/ssl/fullchain.pem <ssl_cert> contains the public server certificate bundled with Let's encrypt CA X3 cross-signed certificate. Maybe the latter should rather contain the root and intermediate certificates. On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte <build+dovecot at de-korte.org> wrote:> > Citeren jean-christophe manciot <actionmystique at gmail.com>: > > > Hi everyone, > > > > I'm trying to setup dovecot to accept only client certificates created > > with a private CA: > > auth_ssl_require_client_cert = yes > > ssl_verify_client_cert = yes > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem > > This is wrong, you should enter your private CA here. If > 'ssl_verify_client_cert' is not set to 'yes', this field should > generally be empty / not configured. > > > At the same time, dovecot is setup with an SSL certificate created by > > a public CA (let's encrypt): > > ssl = required > > ssl_cert = </etc/ssl/fullchain.pem > > ssl_key = </etc/ssl/key.pem > > > > When I try to connect to the server with a client (evolution), I get a > > connection error: > > "Client did not present valid SSL certificate" except that it is valid. > > > > As you probably already know, let's encrypt does not create client > > certificates. > > It seems that using a different CA for client certificates and for the > > server certificate is unsupported. > > > > Am I missing something? > > >-- Jean-Christophe
jean-christophe manciot
2022-Aug-08 17:05 UTC
how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
I forgot to say that this mail server has been working perfectly for many years (but without client certificates). On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot <actionmystique at gmail.com> wrote:> > @build+dovecot at de-korte.org > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem > <ssl_ca> contains actually the private CA certificate bundled with the > private CA CRL. > > ssl_cert = </etc/ssl/fullchain.pem > <ssl_cert> contains the public server certificate bundled with Let's > encrypt CA X3 cross-signed certificate. > > Maybe the latter should rather contain the root and intermediate certificates. > > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte > <build+dovecot at de-korte.org> wrote: > > > > Citeren jean-christophe manciot <actionmystique at gmail.com>: > > > > > Hi everyone, > > > > > > I'm trying to setup dovecot to accept only client certificates created > > > with a private CA: > > > auth_ssl_require_client_cert = yes > > > ssl_verify_client_cert = yes > > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem > > > > This is wrong, you should enter your private CA here. If > > 'ssl_verify_client_cert' is not set to 'yes', this field should > > generally be empty / not configured. > > > > > At the same time, dovecot is setup with an SSL certificate created by > > > a public CA (let's encrypt): > > > ssl = required > > > ssl_cert = </etc/ssl/fullchain.pem > > > ssl_key = </etc/ssl/key.pem > > > > > > When I try to connect to the server with a client (evolution), I get a > > > connection error: > > > "Client did not present valid SSL certificate" except that it is valid. > > > > > > As you probably already know, let's encrypt does not create client > > > certificates. > > > It seems that using a different CA for client certificates and for the > > > server certificate is unsupported. > > > > > > Am I missing something? > > > > > > > > > -- > Jean-Christophe-- Jean-Christophe