jean-christophe manciot
2022-Aug-09 08:12 UTC
how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
@Marc at f1-outsourcing.eu No, the private CA certificate was not present there as I thought that its presence in the bundle pointed to by <ssl_ca> was enough. Anyway, placing it in /etc/ssl/certs and restarting dovecot does not change anything for the client, as expected. On Tue, Aug 9, 2022 at 10:09 AM jean-christophe manciot <actionmystique at gmail.com> wrote:> > @Marc at f1-outsourcing.eu > No, the private CA certificate was not present there as I thought that > its presence in the bundle pointed to by <ssl_ca> was enough. > Anyway, placing it in /etc/ssl/certs and restarting dovecot does not > change anything for the client, as expected. > > On Mon, Aug 8, 2022 at 9:28 PM Marc <Marc at f1-outsourcing.eu> wrote: > > > > Have you added your root CA to where the rest of the ca certs are stored on your distribution? > > > > > > > > > > I forgot to say that this mail server has been working perfectly for > > > many years (but without client certificates). > > > > > > On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot > > > <actionmystique at gmail.com> wrote: > > > > > > > > @build+dovecot at de-korte.org > > > > > > > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem > > > > <ssl_ca> contains actually the private CA certificate bundled with the > > > > private CA CRL. > > > > > > > > ssl_cert = </etc/ssl/fullchain.pem > > > > <ssl_cert> contains the public server certificate bundled with Let's > > > > encrypt CA X3 cross-signed certificate. > > > > > > > > Maybe the latter should rather contain the root and intermediate > > > certificates. > > > > > > > > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte > > > > <build+dovecot at de-korte.org> wrote: > > > > > > > > > > Citeren jean-christophe manciot <actionmystique at gmail.com>: > > > > > > > > > > > Hi everyone, > > > > > > > > > > > > I'm trying to setup dovecot to accept only client certificates > > > created > > > > > > with a private CA: > > > > > > auth_ssl_require_client_cert = yes > > > > > > ssl_verify_client_cert = yes > > > > > > ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem > > > > > > > > > > This is wrong, you should enter your private CA here. If > > > > > 'ssl_verify_client_cert' is not set to 'yes', this field should > > > > > generally be empty / not configured. > > > > > > > > > > > At the same time, dovecot is setup with an SSL certificate created > > > by > > > > > > a public CA (let's encrypt): > > > > > > ssl = required > > > > > > ssl_cert = </etc/ssl/fullchain.pem > > > > > > ssl_key = </etc/ssl/key.pem > > > > > > > > > > > > When I try to connect to the server with a client (evolution), I > > > get a > > > > > > connection error: > > > > > > "Client did not present valid SSL certificate" except that it is > > > valid. > > > > > > > > > > > > As you probably already know, let's encrypt does not create client > > > > > > certificates. > > > > > > It seems that using a different CA for client certificates and for > > > the > > > > > > server certificate is unsupported. > > > > > > > > > > > > Am I missing something? > > > > -- > Jean-Christophe-- Jean-Christophe