search for: ssl_client_ca_fil

Displaying 20 results from an estimated 125 matches for "ssl_client_ca_fil".

Did you mean: ssl_client_ca_file
2015 Sep 21
3
Dovecot proxy ignores trusted root certificate store
Dovecot v2.2.18 OS: FreeBSD 10.1/amd64 Dovecot in proxy mode ignores the root certificate store and can't verify the backend's SSL certificate. I've pointed ssl_client_ca_file to my root certificate store, but I suspect ssl_client_ca_file is only used in imapc context. It seems to be ignored in proxy context. doveconf -n ssl_client_ca_file: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt In my password_query I return host set to the backend's IP add...
2015 Sep 21
4
Dovecot proxy ignores trusted root certificate store
The result is the same with or without "<" before the file path. With "<" the inode atime is updated at Dovecot startup, so the file is at least opened, but Dovecot still can't verify the cert. The only place in the Wiki that shows an example of ssl_client_ca_file is on this page, and there's no "<" in front of the file path: http://wiki2.dovecot.org/Replication (quote) The client must be able to verify that the SSL certificate is valid, so you need to specify the directory containing valid SSL CA roots: ssl_client_ca_dir = /etc/ssl/ce...
2015 Sep 21
2
Dovecot proxy ignores trusted root certificate store
...gt; http://wiki2.dovecot.org/Replication >> >> (quote) >> The client must be able to verify that the SSL certificate is valid, so >> you need to specify the directory containing valid SSL CA roots: >> >> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat >> (end quote) >> > > Suggesting that on Redhat you should specify "the directory containing > valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy. > Sounds like setting a file instead. So that bit of documentatio...
2015 Sep 21
4
Dovecot proxy ignores trusted root certificate store
...t = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what ssl_ca is for. It happens to work, at least for now, but this is not a fix. ssl_client_ca_file should be used instead, but it has no effect in proxy mode: ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt This doesn't work either (and the Dovecot Wiki shows it used without "<"): ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt And "ssl_req...
2015 Sep 21
0
Dovecot proxy ignores trusted root certificate store
...; The result is the same with or without "<" before the file path. With > "<" the inode atime is updated at Dovecot startup, so the file is at > least opened, but Dovecot still can't verify the cert. > > The only place in the Wiki that shows an example of ssl_client_ca_file > is on this page, and there's no "<" in front of the file path: > > http://wiki2.dovecot.org/Replication > > (quote) > The client must be able to verify that the SSL certificate is valid, > so you need to specify the directory containing valid SSL CA roots:...
2017 Feb 03
4
Dovecot dsync 'ssl_client_ca'
Hi, I have made change: ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key = </etc/ssl/private/private.key ssl_cert = </etc/ssl/certs/key.crt ssl_client_ca_file = </etc/ssl/certs/GandiCA2.pem # Create a listener for doveadm-server service doveadm { user = vmail inet_listener { port = 12345 ssl= yes } } and doveadm_port = 12345 // mail_replica = tcps:server2.domain.ltd # use doveadm_port And now: Feb 03 14:11:16 doveadm(user1 at d...
2015 Sep 21
0
Dovecot proxy ignores trusted root certificate store
Hi > I've pointed ssl_client_ca_file to my root certificate store, but I > suspect ssl_client_ca_file is only used in imapc context. It seems to > be ignored in proxy context. > > doveconf -n ssl_client_ca_file: > ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt You are missing the "<" before...
2017 Feb 06
2
Dovecot dsync 'ssl_client_ca'
...Le vendredi 3 f?vrier 2017 ? 17:09:52, vous ?criviez : > Please keep responses in list. rm -f > /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. > On 2017-02-03 17:00, Thierry wrote: >> Hi, >> >> I have removed the '<' : >> >> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >> >> But now: >> >> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >> doveadm: Error: Corrupted SSL parame...
2015 Oct 11
2
dovecot as proxy and verification of the backends certificate
...The backends use X.509 certificates. The proxy's passdb returns extra fields: user=foo proxy host=backend1.<domain> ssl=yes nopassword=y Thus the proxy connects to the backend but can't verify the backends certificate. The following comment suggests using ssl_client_ca_file for that. # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend). The # directory is usually /etc/ssl/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based syste...
2017 Mar 20
2
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
* Aki Tuomi <aki.tuomi at dovecot.fi>: > > > On 20.03.2017 14:30, Ralf Hildebrandt wrote: > > ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt > > Leave the < out. It is misleading, I know, but it does say file. =) Makes no difference: # doveconf |fgrep ssl_client_ca ssl_client_ca_dir = ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt and with auto8 I still get: Mar 20 15:38:...
2017 Mar 20
4
Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)
...to 2:2.2.28-1~auto+8) I now I'm getting an error: Mar 20 13:25:58 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings) I checked, and alas, I had ssl_client_ca_dir = ssl_client_ca_file = So I set: ssl_client_ca_file = </etc/ssl/certs/ca-certificates.crt But I'm still getting the error above. I addition, dovecot is crashing with SIGSEGV: Mar 20 13:28:23 mproxy dovecot: auth: Error: imapc(email.charite.de:993): Couldn't initialize SSL context: Can't verify remo...
2017 Jan 04
3
Dovecot dsync tcps sends incomplete certificate chain
...57 ssl = yes } } service imap-login { inet_listener imap { port = 143 } inet_listener imaps { port = 993 ssl = yes } } service replicator { process_min_avail = 1 unix_listener replicator-doveadm { mode = 0666 } } ssl = required ssl_cert = </etc/letsencrypt/live/mail.dividebyzero.it/fullchain.pem ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem ssl_key = </etc/letsencrypt/live/mail.dividebyzero.it/privkey.pem userdb { driver = passwd } userdb { args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n driver = static } Is it a known problem, or has it been resolved in a subsequent v...
2019 Mar 28
2
configuring Dovecot with wforced and auth_policy_server_url with https results in assertion failed
> Set > > ssl_client_ca_file=/path/to/cacert.pem to validate the certificate Can this be the Lets Encrypt cert that we already have? In other words we have: ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem Can those be used? > Are you using haproxy or something in fro...
2017 Feb 03
0
Dovecot dsync 'ssl_client_ca'
Please keep responses in list. rm -f /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. On 2017-02-03 17:00, Thierry wrote: > Hi, > > I have removed the '<' : > > ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem > > But now: > > doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 > doveadm: Error: Couldn't initialize SSL parameters, disabling SSL > doveadm: Error: Corrupted SSL parameters file in state_dir:...
2017 Jan 05
0
Dovecot dsync tcps sends incomplete certificate chain
...;> ssl = yes >> } >> } >> service replicator { >> process_min_avail = 1 >> unix_listener replicator-doveadm { >> mode = 0666 >> } >> } >> ssl = required >> ssl_cert = </etc/letsencrypt/live/mail.dividebyzero.it/fullchain.pem >> ssl_client_ca_file = /etc/letsencrypt/live/mail.dividebyzero.it/chain.pem >> ssl_key = </etc/letsencrypt/live/mail.dividebyzero.it/privkey.pem >> userdb { >> driver = passwd >> } >> userdb { >> args = uid=vmail gid=vmail home=/var/local/vmail/%d/%n >> driver = static >...
2017 Feb 06
0
Dovecot dsync 'ssl_client_ca'
...2, vous ?criviez : > >> Please keep responses in list. rm -f >> /var/lib/dovecot/ssl-parameters.dat, i think it was in that dir. > >> On 2017-02-03 17:00, Thierry wrote: >>> Hi, >>> >>> I have removed the '<' : >>> >>> ssl_client_ca_file = /etc/ssl/certs/GandiCA2.pem >>> >>> But now: >>> >>> doveadm: Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 >>> doveadm: Error: Couldn't initialize SSL parameters, disabling SSL >>> doveadm: Err...
2017 Feb 03
3
Dovecot dsync 'ssl_client_ca'
Hello, Still working with my dsync pb. I have done a clone (vmware) of my email server. Today I have two strictly identical emails servers (server1 (main) and server2 (bck) (except IP, hostname and mail_replica). The ssl config on my both server: ssl_protocols = !SSLv2 !SSLv3 ssl = required verbose_ssl = no ssl_key = </etc/ssl/private/private.key ssl_cert =
2015 Sep 21
0
Dovecot proxy ignores trusted root certificate store
...; The result is the same with or without "<" before the file path. With > "<" the inode atime is updated at Dovecot startup, so the file is at > least opened, but Dovecot still can't verify the cert. > > The only place in the Wiki that shows an example of ssl_client_ca_file > is on this page, and there's no "<" in front of the file path: > > http://wiki2.dovecot.org/Replication > > (quote) > The client must be able to verify that the SSL certificate is valid, so > you need to specify the directory containing valid SSL CA roots:...
2015 Sep 21
0
Dovecot proxy ignores trusted root certificate store
.../Replication >>> >>> (quote) >>> The client must be able to verify that the SSL certificate is valid, so >>> you need to specify the directory containing valid SSL CA roots: >>> >>> ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu >>> ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat >>> (end quote) >>> >> >> Suggesting that on Redhat you should specify "the directory containing >> valid SSL CA roots" by setting ssl_client_ca_file sounds kinda crazy. >> Sounds like setting a file instead. So...
2015 Sep 22
0
Dovecot proxy ignores trusted root certificate store
...key = </path/to/my/file.pem > ssl_require_crl = no > > I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a > temporary workaround, even though this is not what ssl_ca is for. It > happens to work, at least for now, but this is not a fix. > > ssl_client_ca_file should be used instead, but it has no effect in > proxy mode: > > ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt > > This doesn't work either (and the Dovecot Wiki shows it used without > "<"): > > ssl_client_ca_file = </usr/local/share/ce...