dovecot imap ssl certificate issues

ssl ubuntu dovecot imap

i have been trying to configure my dovecot imap server (version 1.0.10 - upgrading is not an option at this stage) with a new ssl certificate on ubuntu like so:

$ grep ^ssl /etc/dovecot/dovecot.conf
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/mydomain.com.crt.20120904
ssl_key_file = /etc/ssl/private/mydomain.com.key.20120904
$ /etc/init.t/dovecot stop
$ sudo dovecot -p
$ [i enter the ssl password here]

it doesn't show any errors and when i run ps aux | grep dovecot i get

root     21368  0.0  0.0  12452   688 ?        Ss   15:19   0:00 dovecot -p
root     21369  0.0  0.0  71772  2940 ?        S    15:19   0:00 dovecot-auth
dovecot  21370  0.0  0.0  14140  1904 ?        S    15:19   0:00 pop3-login
dovecot  21371  0.0  0.0  14140  1900 ?        S    15:19   0:00 pop3-login
dovecot  21372  0.0  0.0  14140  1904 ?        S    15:19   0:00 pop3-login
dovecot  21381  0.0  0.0  14280  2140 ?        S    15:19   0:00 imap-login
dovecot  21497  0.0  0.0  14280  2116 ?        S    15:29   0:00 imap-login
dovecot  21791  0.0  0.0  14148  1908 ?        S    15:48   0:00 imap-login
dovecot  21835  0.0  0.0  14148  1908 ?        S    15:53   0:00 imap-login
dovecot  21931  0.0  0.0  14148  1904 ?        S    16:00   0:00 imap-login
me       21953  0.0  0.0   5168   944 pts/0    S+   16:02   0:00 grep --color=auto dovecot

which looks like it is all running fine. so then i test to see if i can telnet to the dovecot server, and this works fine:

$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Dovecot ready.

but when i test whether dovecot has configured the ssl certificates properly, it appears to fail:

$ sudo openssl s_client -connect localhost:143 -starttls imap
CONNECTED(00000003)
depth=0 /description=xxxxxxxxxxxxxxxxx/C=AU/ST=xxxxxxxx/L=xxxx/O=xxxxxx/CN=*.mydomain.com/[email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /description=xxxxxxxxxxx/C=AU/ST=xxxxxx/L=xxxx/O=xxxx/CN=*.mydomain.com/[email protected]
verify error:num=27:certificate not trusted
verify return:1
depth=0 /description=xxxxxxxx/C=AU/ST=xxxxxxxxxx/L=xxxx/O=xxxxx/CN=*.mydomain.com/[email protected]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/description=xxxxxxxxxxxx/C=AU/ST=xxxxxxxxxx/L=xxxxxxxx/O=xxxxxxx/CN=*.mydomain.com/[email protected]
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
.
.
.
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx==
-----END CERTIFICATE-----
subject=/description=xxxxxxxxxx/C=AU/ST=xxxxxxxxx/L=xxxxxxx/O=xxxxxx/CN=*.mydomain.com/[email protected]
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2831 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx: 
    Master-Key: xxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Start Time: 1351661960
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
. OK Capability completed.

at least, i'm assuming this is a failure???


The problem is with openssl, not dovecot.

There is a bug in openssl which stops it looking for the default CApath, so you need to tell it where to find the list of root CA certs by adding -CApath to your command line. For example:

sudo openssl s_client -connect localhost:143 -starttls imap -CApath /dev/null

If you have not populated your certs folder yet and you are computer literate, then follow this tutorial to download certdata.txt from Mozilla and generate the necessary PEM files and symlinks. The scripts may need modifying if you do not have access to /bin and you will need to create a symlink ln -s ca-bundle.crt cert.pem.

(Specifying /dev/null forces openssl to use the default path of cert.pem in your openssl directory. To find out where your openssl directory is, type openssl version -d).

Since you are using StartSSL, you may need to concatenate your certificate and their intermediate certificate for dovecot, in your case StartCom Class 2 Primary Intermediate Server CA. Their free certificate uses StartCom Class 1 Primary Intermediate Server CA

Related

Git log to get commits only for a specific branch
Programmatically control Oculus Quest camera passthrough mode
Python - Assign user to a sub OU
How to expire session due to inactivity in Django?
How to clone ES6 generator?
Cannot contact reCAPTCHA. Check your connection and try again
python conditional operator must end with else in comprehensions? [duplicate]
Error while trying to access public stories from Medium API on client side
making the <area> in a <map> tag visible during development
Ignore null fields when DEserializing JSON with Gson or Jackson
Published var in Class not available in array as a method
Python Subprocess: Unable to Escape Quotes