dovecot imap ssl certificate issues

i have been trying to configure my dovecot imap server (version 1.0.10 - upgrading is not an option at this stage) with a new ssl certificate on ubuntu like so:

$ grep ^ssl /etc/dovecot/dovecot.conf
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/mydomain.com.crt.20120904
ssl_key_file = /etc/ssl/private/mydomain.com.key.20120904
$ /etc/init.t/dovecot stop
$ sudo dovecot -p
$ [i enter the ssl password here]

it doesn't show any errors and when i run ps aux | grep dovecot i get

root     21368  0.0  0.0  12452   688 ?        Ss   15:19   0:00 dovecot -p
root     21369  0.0  0.0  71772  2940 ?        S    15:19   0:00 dovecot-auth
dovecot  21370  0.0  0.0  14140  1904 ?        S    15:19   0:00 pop3-login
dovecot  21371  0.0  0.0  14140  1900 ?        S    15:19   0:00 pop3-login
dovecot  21372  0.0  0.0  14140  1904 ?        S    15:19   0:00 pop3-login
dovecot  21381  0.0  0.0  14280  2140 ?        S    15:19   0:00 imap-login
dovecot  21497  0.0  0.0  14280  2116 ?        S    15:29   0:00 imap-login
dovecot  21791  0.0  0.0  14148  1908 ?        S    15:48   0:00 imap-login
dovecot  21835  0.0  0.0  14148  1908 ?        S    15:53   0:00 imap-login
dovecot  21931  0.0  0.0  14148  1904 ?        S    16:00   0:00 imap-login
me       21953  0.0  0.0   5168   944 pts/0    S+   16:02   0:00 grep --color=auto dovecot

which looks like it is all running fine. so then i test to see if i can telnet to the dovecot server, and this works fine:

$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Dovecot ready.

but when i test whether dovecot has configured the ssl certificates properly, it appears to fail:

$ sudo openssl s_client -connect localhost:143 -starttls imap
CONNECTED(00000003)
depth=0 /description=xxxxxxxxxxxxxxxxx/C=AU/ST=xxxxxxxx/L=xxxx/O=xxxxxx/CN=*.mydomain.com/[email protected]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /description=xxxxxxxxxxx/C=AU/ST=xxxxxx/L=xxxx/O=xxxx/CN=*.mydomain.com/[email protected]
verify error:num=27:certificate not trusted
verify return:1
depth=0 /description=xxxxxxxx/C=AU/ST=xxxxxxxxxx/L=xxxx/O=xxxxx/CN=*.mydomain.com/[email protected]
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/description=xxxxxxxxxxxx/C=AU/ST=xxxxxxxxxx/L=xxxxxxxx/O=xxxxxxx/CN=*.mydomain.com/[email protected]
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxx
.
.
.
xxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxx==
-----END CERTIFICATE-----
subject=/description=xxxxxxxxxx/C=AU/ST=xxxxxxxxx/L=xxxxxxx/O=xxxxxx/CN=*.mydomain.com/[email protected]
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2831 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: xxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx: 
    Master-Key: xxxxxxxxxxxxxxxxxx
    Key-Arg   : None
    Start Time: 1351661960
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
. OK Capability completed.

at least, i'm assuming this is a failure???


The problem is with openssl, not dovecot.

There is a bug in openssl which stops it looking for the default CApath, so you need to tell it where to find the list of root CA certs by adding -CApath to your command line. For example:

sudo openssl s_client -connect localhost:143 -starttls imap -CApath /dev/null 

If you have not populated your certs folder yet and you are computer literate, then follow this tutorial to download certdata.txt from Mozilla and generate the necessary PEM files and symlinks. The scripts may need modifying if you do not have access to /bin and you will need to create a symlink ln -s ca-bundle.crt cert.pem.

(Specifying /dev/null forces openssl to use the default path of cert.pem in your openssl directory. To find out where your openssl directory is, type openssl version -d).

Since you are using StartSSL, you may need to concatenate your certificate and their intermediate certificate for dovecot, in your case StartCom Class 2 Primary Intermediate Server CA. Their free certificate uses StartCom Class 1 Primary Intermediate Server CA