dovecot imap ssl certificate issues
i have been trying to configure my dovecot imap server (version 1.0.10 - upgrading is not an option at this stage) with a new ssl certificate on ubuntu like so:
$ grep ^ssl /etc/dovecot/dovecot.conf
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/mydomain.com.crt.20120904
ssl_key_file = /etc/ssl/private/mydomain.com.key.20120904
$ /etc/init.t/dovecot stop
$ sudo dovecot -p
$ [i enter the ssl password here]
it doesn't show any errors and when i run ps aux | grep dovecot
i get
root 21368 0.0 0.0 12452 688 ? Ss 15:19 0:00 dovecot -p
root 21369 0.0 0.0 71772 2940 ? S 15:19 0:00 dovecot-auth
dovecot 21370 0.0 0.0 14140 1904 ? S 15:19 0:00 pop3-login
dovecot 21371 0.0 0.0 14140 1900 ? S 15:19 0:00 pop3-login
dovecot 21372 0.0 0.0 14140 1904 ? S 15:19 0:00 pop3-login
dovecot 21381 0.0 0.0 14280 2140 ? S 15:19 0:00 imap-login
dovecot 21497 0.0 0.0 14280 2116 ? S 15:29 0:00 imap-login
dovecot 21791 0.0 0.0 14148 1908 ? S 15:48 0:00 imap-login
dovecot 21835 0.0 0.0 14148 1908 ? S 15:53 0:00 imap-login
dovecot 21931 0.0 0.0 14148 1904 ? S 16:00 0:00 imap-login
me 21953 0.0 0.0 5168 944 pts/0 S+ 16:02 0:00 grep --color=auto dovecot
which looks like it is all running fine. so then i test to see if i can telnet to the dovecot server, and this works fine:
$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Dovecot ready.
but when i test whether dovecot has configured the ssl certificates properly, it appears to fail:
$ sudo openssl s_client -connect localhost:143 -starttls imap
CONNECTED(00000003)
depth=0 /description=xxxxxxxxxxxxxxxxx/C=AU/ST=xxxxxxxx/L=xxxx/O=xxxxxx/CN=*.mydomain.com/[email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /description=xxxxxxxxxxx/C=AU/ST=xxxxxx/L=xxxx/O=xxxx/CN=*.mydomain.com/[email protected]
verify error:num=27:certificate not trusted
verify return:1
depth=0 /description=xxxxxxxx/C=AU/ST=xxxxxxxxxx/L=xxxx/O=xxxxx/CN=*.mydomain.com/[email protected]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/description=xxxxxxxxxxxx/C=AU/ST=xxxxxxxxxx/L=xxxxxxxx/O=xxxxxxx/CN=*.mydomain.com/[email protected]
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
.
.
.
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx==
-----END CERTIFICATE-----
subject=/description=xxxxxxxxxx/C=AU/ST=xxxxxxxxx/L=xxxxxxx/O=xxxxxx/CN=*.mydomain.com/[email protected]
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2831 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: xxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxxxxxxx
Key-Arg : None
Start Time: 1351661960
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
. OK Capability completed.
at least, i'm assuming this is a failure???
The problem is with openssl, not dovecot.
There is a bug in openssl which stops it looking for the default CApath, so you need to tell it where to find the list of root CA certs by adding -CApath
to your command line. For example:
sudo openssl s_client -connect localhost:143 -starttls imap -CApath /dev/null
If you have not populated your certs folder yet and you are computer literate, then follow this tutorial to download certdata.txt from Mozilla and generate the necessary PEM files and symlinks. The scripts may need modifying if you do not have access to /bin and you will need to create a symlink ln -s ca-bundle.crt cert.pem.
(Specifying /dev/null forces openssl to use the default path of cert.pem in your openssl directory. To find out where your openssl directory is, type openssl version -d
).
Since you are using StartSSL, you may need to concatenate your certificate and their intermediate certificate for dovecot, in your case StartCom Class 2 Primary Intermediate Server CA. Their free certificate uses StartCom Class 1 Primary Intermediate Server CA