Issues with dovecot and intermediate certs

[Aedan]

Hi all!

I'm bashing my head against an issue with dovecot and using intermediate certificates for SSL.

I've put together a certificate bundle that consists of the intermediates and my cert (in the right order!), and that works just peachy with nginx. The same should be true with dovecot, but it just doesn't work.

I've noted that some people seem to have reversed the order of the certs in the bundle (Ie, from end cert through to intermediates) - no idea why as this seems wrong, but I've tried it anyway. It didn't make any difference

Anyone got any ideas of what's not right, and why dovecot seems to have an issue with presenting the intermediate certificates?

[Aedan]

A quick reboot, and it doesn't seem to be entirely solved for all clients!

[Gizmo]

I'm puzzled that you're having problems. I would expect that the validation of the certificate chain would be handled by openssl and would be the same regardless of the package involved.

What distro are you using, what version of dovecot and openssl, and what is your configuration?

[Aedan]

I'm running OpenBSD 5.1, with dovecot 2.0.17. OpenSSL is version 1.0.0f

SSL configuration for Dovecot is as follows (all three lines of it)

Code:

ssl_cert =</etc/ssl/dovecot-server.crt
ssl_cipher_list = HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
ssl_key =</etc/ssl/private/server.key

[Gizmo]

Have you looked at the dovecot wiki? Especially this page?

[Aedan]

Yup, I followed through on "Chained SSL certificates", and still no joy?

[Gizmo]

Very odd, especially that it seems to affect some clients but not others. Is it possible it's related to the client, or the version of the client? Have you tried troubleshooting using the openssl tools? Specifically:

Code:

openssl s_client -crlf -connect myhost.mynet.tld:993

or something similar (depending on if you are using tls or ssl)?

[Aedan]

ok, looks like

Code:

CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
---

whereas, if I use my SSL enable web server I get

Code:

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---

I'm going to attempt to rebuild the cert bundle (again!) just to ensure I'm not doing anything too stupid.

[Gizmo]

I'm not using a single certificate bundle like you are, but have you looked at AOA's ssl configuration? It might shed some light for you.

It's possible there's a bug in the handling of bundled certs (though I'd be surprised if there is, given the maturity of the code involved; still, stranger thigns have happened).

[Aedan]

Dovecot only supports a single cert bundle unfortunately. Mind you, nginx also only supports a single cert bundle and that works fine. I'm kinda stumped on this one!

Are we using Dovecot for email then?

[Aedan]

Right, found the issue. You're gonna love this one (not).

I've been editing /etc/dovecot.conf.
It seems dovecot reads /etc/dovecot/dovecot.conf

No idea why there's an /etc/dovecot.conf, as I definitely didn't put it there when I set up the mail server.

Never mind, problem solved. using open_ssl, I now get:

Code:

Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.example.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

[ThunderRd]

...and /etc/dovecot.conf does not indicate in any way that it is an example, I'm assuming.

I had this problem before with something, I can't remember what package, that placed its sample .conf file in /etc by default. Took me ages to figure out that I was editing the sample, and not the real .conf file.

I feel your pain, LOL

[Aedan]

No, it's not a sample, it's the real deal. I've found where it comes from too - the mailserv installer modifies it and then manages to put it in the wrong place. If your server cert is in /etc/ssl/server.crt, then dovecot will pick it up happily and confuse the heck out of you.

[Gizmo]

Ah, glad you got it going and figured out the problem.

Yes, we are running dovecot now. I switched us from Cyrus a while back because there were some issues compiling for 64-bit and it wasn't being actively supported any more.

[Daniel ~]

Well done A,!