AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > OS, Software, Firmware, and BIOS


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 29th July, 2012, 10:16 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Issues with dovecot and intermediate certs

Hi all!

I'm bashing my head against an issue with dovecot and using intermediate certificates for SSL.

I've put together a certificate bundle that consists of the intermediates and my cert (in the right order!), and that works just peachy with nginx. The same should be true with dovecot, but it just doesn't work.

I've noted that some people seem to have reversed the order of the certs in the bundle (Ie, from end cert through to intermediates) - no idea why as this seems wrong, but I've tried it anyway. It didn't make any difference

Anyone got any ideas of what's not right, and why dovecot seems to have an issue with presenting the intermediate certificates?
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 29th July, 2012, 10:26 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

A quick reboot, and it doesn't seem to be entirely solved for all clients!
__________________

Last edited by Aedan; 29th July, 2012 at 04:14 PM. Reason: Edit: no it didn't!
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 29th July, 2012, 05:59 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

I'm puzzled that you're having problems. I would expect that the validation of the certificate chain would be handled by openssl and would be the same regardless of the package involved.

What distro are you using, what version of dovecot and openssl, and what is your configuration?

Last edited by Gizmo; 29th July, 2012 at 05:59 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 29th July, 2012, 08:39 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

I'm running OpenBSD 5.1, with dovecot 2.0.17. OpenSSL is version 1.0.0f

SSL configuration for Dovecot is as follows (all three lines of it)
Code:
ssl_cert =</etc/ssl/dovecot-server.crt
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
ssl_key =</etc/ssl/private/server.key
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 29th July, 2012, 09:32 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

Have you looked at the dovecot wiki? Especially this page?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 30th July, 2012, 08:59 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Yup, I followed through on "Chained SSL certificates", and still no joy?
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 30th July, 2012, 03:57 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

Very odd, especially that it seems to affect some clients but not others. Is it possible it's related to the client, or the version of the client? Have you tried troubleshooting using the openssl tools? Specifically:

Code:
openssl s_client -crlf -connect myhost.mynet.tld:993
or something similar (depending on if you are using tls or ssl)?
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 30th July, 2012, 04:09 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

ok, looks like
Code:
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---
whereas, if I use my SSL enable web server I get
Code:
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
I'm going to attempt to rebuild the cert bundle (again!) just to ensure I'm not doing anything too stupid.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 31st July, 2012, 05:27 AM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

I'm not using a single certificate bundle like you are, but have you looked at AOA's ssl configuration? It might shed some light for you.

It's possible there's a bug in the handling of bundled certs (though I'd be surprised if there is, given the maturity of the code involved; still, stranger thigns have happened).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 31st July, 2012, 09:48 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Dovecot only supports a single cert bundle unfortunately. Mind you, nginx also only supports a single cert bundle and that works fine. I'm kinda stumped on this one!

Are we using Dovecot for email then?
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #11 (permalink)  
Old 31st July, 2012, 12:16 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

Right, found the issue. You're gonna love this one (not).

I've been editing /etc/dovecot.conf.
It seems dovecot reads /etc/dovecot/dovecot.conf

No idea why there's an /etc/dovecot.conf, as I definitely didn't put it there when I set up the mail server.

Never mind, problem solved. using open_ssl, I now get:
Code:
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
__________________

Last edited by Aedan; 31st July, 2012 at 12:18 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 31st July, 2012, 01:27 PM
ThunderRd's Avatar
Irreverent Query Chairman
 
Join Date: June 2007
Location: NYC native in northern Thailand
Posts: 2,232

...and /etc/dovecot.conf does not indicate in any way that it is an example, I'm assuming.

I had this problem before with something, I can't remember what package, that placed its sample .conf file in /etc by default. Took me ages to figure out that I was editing the sample, and not the real .conf file.

I feel your pain, LOL
__________________
#1: Tt Armor, ASUS Maximus Extreme, QX9650@4.1G, 8G Corsair Dominator GT DDR3-2000, Corsair HX1050, H2O-Swiftech, Gigabyte GTX470/Arctic Accelero Xtreme Plus II, Intel 520 SSD, Kingston SSD, 2xRaptor 150G RAID0, Win 7 Pro 64
#2: Tt Shark, ASUS P5Q Pro Turbo, Q6600@3.8G, 4G HyperX-1600, Corsair HX850, CoolerMaster V10, 2xASUS 9600GT, 2xRaptor 74G RAID0, OCZ Vertex 4 SSD, Gentoo/siduction Linux [64-bit]
#3, #4: Opteron 170@2.75G nude, A8N-SLI Deluxe, Gentoo

AOA Folding @HomeOur sister site: www.gamersonlinux.com

Last edited by ThunderRd; 31st July, 2012 at 01:27 PM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 31st July, 2012, 02:08 PM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

No, it's not a sample, it's the real deal. I've found where it comes from too - the mailserv installer modifies it and then manages to put it in the wrong place. If your server cert is in /etc/ssl/server.crt, then dovecot will pick it up happily and confuse the heck out of you.
__________________
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 31st July, 2012, 04:08 PM
Gizmo's Avatar
Chief BBS Administrator
BassTeroids Champion, Global Player Champion, Aim & Fire Champion, Puzzle Maniax Champion, Othello Champion, Canyon Glider Champion, Unicycle Challenge Champion, YetiSports 9: Final Spit Champion, Zed Champion
 
Join Date: May 2003
Location: Webb City, Mo
Posts: 16,178
Send a message via ICQ to Gizmo Send a message via AIM to Gizmo Send a message via MSN to Gizmo Send a message via Yahoo to Gizmo Send a message via Skype™ to Gizmo

Ah, glad you got it going and figured out the problem.

Yes, we are running dovecot now. I switched us from Cyrus a while back because there were some issues compiling for 64-bit and it wasn't being actively supported any more.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #15 (permalink)  
Old 31st July, 2012, 10:04 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,605

Well done A,!
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
having some ram issues bonesaw General Hardware Discussion 11 31st January, 2007 05:27 AM
XP SP 2 issues? Samuknow OS, Software, Firmware, and BIOS 3 9th April, 2006 08:59 PM
ram issues Skiracing108 Graphics and Sound cards; Speakers and other Peripherals 4 28th May, 2005 04:58 AM
Issues cadaveca ThunderRd's AOA FOLDING@HOME Team 3 25th April, 2005 07:15 PM
Issues with GF4 TI Samuknow Graphics and Sound cards; Speakers and other Peripherals 4 19th July, 2002 01:04 PM


All times are GMT +1. The time now is 05:23 PM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0