0

I am using dovecot (1) and trying to get my StartSSL certificate running.

ssl_key_file points to my private key

I tried pointing ssl_cert_file to my public key, with and without using the class1 certificate from http://www.startssl.com/certs/sub.class1.server.ca.pem as ssl_ca_file aswell as combing them with cat publickey sub.class1.server.ca.pem > chained

My mail client keeps telling me the certificate has no issuer, but doing openssl x509 on my public certificate tells me it is C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA

My option for the CSR were: openssl req -new -newkey rsa:4096 -nodes

Dovecot's log doesn't mention any problems.

EDIT: Doesn't seem to be a problem with dovecot. I am having the same problem with postfix. openssl verify gives me the same error.

knoim
  • 51
  • 3

2 Answers2

1

What error message does the 'openssl verify' return?

It may be the case the applications don't trust the Cert Issuer and need the list of trusted certs.

Try downloading this file http://www.startssl.com/certs/ca-bundle.pem and running 'openssl verify -CAfile ca-bundle.pem mycert.pem' where mycert.pem is your cert.

For eg : % openssl verify -CAfile ca-bundle.pem sub.class1.server.ca.pem sub.class1.server.ca.pem: OK

Martin
  • 501
  • 2
  • 5
  • Okay, that works. How can I tell dovecot about this. On the wiki and various guides I read about chaining. And in fact I have been using a CaCert.org earlier and chaining (cat'ing them together) wasn't a problem, but somehow this doesn't seem to work or I simply miss something. I read about the differences between dovecot 1 and 2, but it didn't work whatever way I tried. – knoim May 16 '11 at 10:32
  • 1
    I can't get dovecot to use the CAFile. I am using debian. There are StartCom ca file in /etc/ssl/certs. I also tried to chain them and while they are detected I still receive: "verify error:num=19:self signed certificate in certificate chain" – knoim Jun 28 '11 at 10:31
  • 1
    "cat server.pem chain.pem > file.pem" whould create the recommanded file – Dom Aug 21 '13 at 14:12
0

I have using the following config without any problem

/etc/dovecot/conf.d/10-ssl.conf

ssl = yes
ssl_cert = </etc/pki/dovecot/mail.example.net.pem
ssl_key = </etc/pki/dovecot/mail.example.net.key

the /etc/pki/dovecot/mail.example.net.pem consists from 3 parts:

server certificate
startssl Class 1 Intermediate Server CA
StartCom Root CA (PEM encoded)

Note: the order is important

# openssl s_client -connect mail.example.net:995
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = G4V86y34KxXe0qbQ, C = US, CN = mail.example.net, emailAddress = webmaster@example.net
verify return:1
---
Certificate chain
 0 s:/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/emailAddress=webmaster@example.net
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHWzCCBkOgAwIBAgIDDlbeMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwMjA0MTk1MTM5
WhcNMTUwMjA1MTU1NjMxWjBrMRkwFwYDVQQNExBHNFY4NnkzNEt4WGUwcWJRMQsw
CQYDVQQGEwJVQTEaMBgGA1UEAxMRbWFpbC5wc2QyaHRtbC5jb20xJTAjBgkqhkiG
9w0BCQEWFndlYm1hc3RlckBwc2QyaHRtbC5jb20wggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQDVkP78cio2lOLYgR4b0AL23UXRfqsfxq5SV3UQc/MCs6dH
+KjoXsGfmb625UHIlwDyXHNcWRk77W6rjoMNuT16IQaYcgeO3bFGtcZkMBGcQ3ur
XVn4lv0N1VcCInxeLS/gp7Af8uKHm8mQzLYgiNUIuoExlQUa9YGOKZO8mT+HV9uT
GGrJly6qhWEG7fmua3+s9muKIk1rVPFNrmpZNZ3r0LFleQyDQHdzF9KIlQSHFlGt
pXVSfmEDVzEhMpE+8fwC2tfl/yfKj4O7UTkx+9Tve3S/6yVdRDIfke2DGTbukj9P
FwCvSFEbfstLOjc6l6R8Akcfc7zuzZDnyBOJt4Z0rXyVhrV02Mcy5/eOvCgzoq3U
e/FSDj0NYwv4bzBFxdVzDtmhYg/PO1vzsr4wn+avUnJJCQ0OfbZobjx8AjrxnwID
RRcKIrXvDnYUFWh9hyoEFbzzgFuj4CMO7YY8FPzbDDhCjcCQp/4xJ7f0zdxRyjuJ
AhJqaKs/Mmi5vZ6D/+Cu1vng/h9W9787A/rT4TynCvrVvfTWNAfnAlk2GuIJbHeU
uMnYqdNGvVdVHfTWescXqWx/ko33m33ceoCcxDMElHoeLPSk7WJvydm9HWXvGmBB
QJRwC3yXaFJLx7+cxd/hd8dMXBJ5My2Uhw+GTw4Mrr4seRO7oNVhNqhJBbqjmPvL
AQABo4IC5DCCAuAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYI
ggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29t
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRl
IHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24g
KwYBBQUHAwEwHQYDVR0OBBYEFAYlHZwthNBwmurY7KHmBkNdS19JMB8GA1UdIwQY
MBaAFOtCNNCYsKuf9BtrCPfMZC7vDixFMCoGA1UdEQQjMCGCEW1haWwucHNkMmh0
bWwuY29tggxwc2QyaHRtbC5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEw
cmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNl
IG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2Yg
dGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaG
JGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUH
AQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1
Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0
c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBww
GoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBa
16IYi1LGaOmogKbTIVIdwrP1kWN8ZfQdTBKgPgJeE8u+uvR4lExzIffN9LairKC2
waqZa7RfLakZkLKoJ6/kcGvXoXfNUUSQ3M3AVcxchYQ/pmh5KzxTkIE9xX5jDjd8
B+B2uV/X8Gc2/q2ortr4DVUBBV8pCmS18bSGGZL4IvvDw0iLop27TfcrhbZEwEL0
5y+T/pvvFbGmVDEXiw9EXQJ1vjosnQEfxsPEU3NGD4I4BOXedvzzKmDV3Dny+vEN
40thwakbj81rZc4ppYYX6mra207vjaattvFE9FCioW4YVgxV+mGGvirt2qMUsE1l
XN0tJonIy/lLUDZupgTx
-----END CERTIFICATE-----
subject=/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/emailAddress=webmaster@example.net
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6429 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 251FC9E94633EC3A79E17802493B117BD4F04ABD0C3499DB414A764CA6EAA9AF
    Session-ID-ctx:
    Master-Key: E86A31072A0CB5288CA6C01AE174D8B72AC6F5B377E4245B06604354BB968EA0AFF199F823F5EFD919B7E2F0F6F3D7C0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 66 5c 5d 0d 71 f9 0a c3-fc 3f 26 2f 04 61 02 7e   f\].q....?&/.a.~
    0010 - e1 ec b8 a2 9e cb 4e e1-d9 20 41 0f 30 3e f8 2a   ......N.. A.0>.*
    0020 - a9 9f 36 3e 92 1a 9d 06-8f fc e9 69 ad 98 a3 21   ..6>.......i...!
    0030 - 80 bf 54 e0 36 54 f8 ab-cf 93 97 39 66 99 db d1   ..T.6T.....9f...
    0040 - b9 c1 10 64 bc e5 e0 ef-0a d2 cf be 08 f9 4d a3   ...d..........M.
    0050 - 82 0c 2f 42 c1 c2 26 b8-7d 19 01 30 ce f0 76 de   ../B..&.}..0..v.
    0060 - 1b a1 53 9c b3 d4 61 21-95 94 85 4a 9f c7 3f 5a   ..S...a!...J..?Z
    0070 - 7e c1 2b cf fd 98 08 bf-ac 6c ca e4 95 ba d0 60   ~.+......l.....`
    0080 - 4c cf 95 ec ed d9 01 41-00 0c 2c de 3c da 9d 2e   L......A..,.<...
    0090 - 71 4b b9 5b 31 d1 f6 47-bd 92 71 3d 5f 9a 11 ca   qK.[1..G..q=_...

    Start Time: 1393762729
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Dovecot ready.
quit
+OK Logging out
closed
ALex_hha
  • 7,193
  • 1
  • 25
  • 40