ubuntu - dovecot imap ssl certificate issues

  • mulllhausen

    i have been trying to configure my dovecot imap server (version 1.0.10 - upgrading is not an option at this stage) with a new ssl certificate on ubuntu like so:

    $ grep ^ssl /etc/dovecot/dovecot.conf
    ssl_disable = no
    ssl_cert_file = /etc/ssl/certs/mydomain.com.crt.20120904
    ssl_key_file = /etc/ssl/private/mydomain.com.key.20120904
    $ /etc/init.t/dovecot stop
    $ sudo dovecot -p
    $ [i enter the ssl password here]

    it doesn't show any errors and when i run ps aux | grep dovecot i get

    root     21368  0.0  0.0  12452   688 ?        Ss   15:19   0:00 dovecot -p
    root     21369  0.0  0.0  71772  2940 ?        S    15:19   0:00 dovecot-auth
    dovecot  21370  0.0  0.0  14140  1904 ?        S    15:19   0:00 pop3-login
    dovecot  21371  0.0  0.0  14140  1900 ?        S    15:19   0:00 pop3-login
    dovecot  21372  0.0  0.0  14140  1904 ?        S    15:19   0:00 pop3-login
    dovecot  21381  0.0  0.0  14280  2140 ?        S    15:19   0:00 imap-login
    dovecot  21497  0.0  0.0  14280  2116 ?        S    15:29   0:00 imap-login
    dovecot  21791  0.0  0.0  14148  1908 ?        S    15:48   0:00 imap-login
    dovecot  21835  0.0  0.0  14148  1908 ?        S    15:53   0:00 imap-login
    dovecot  21931  0.0  0.0  14148  1904 ?        S    16:00   0:00 imap-login
    me       21953  0.0  0.0   5168   944 pts/0    S+   16:02   0:00 grep --color=auto dovecot

    which looks like it is all running fine. so then i test to see if i can telnet to the dovecot server, and this works fine:

    $ telnet localhost 143
    Connected to localhost.
    Escape character is '^]'.
    * OK Dovecot ready.

    but when i test whether dovecot has configured the ssl certificates properly, it appears to fail:

    $ sudo openssl s_client -connect localhost:143 -starttls imap
    depth=0 /description=xxxxxxxxxxxxxxxxx/C=AU/ST=xxxxxxxx/L=xxxx/O=xxxxxx/CN=*.mydomain.com/emailAddress=[email protected]
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /description=xxxxxxxxxxx/C=AU/ST=xxxxxx/L=xxxx/O=xxxx/CN=*.mydomain.com/emailAddress=[email protected]
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /description=xxxxxxxx/C=AU/ST=xxxxxxxxxx/L=xxxx/O=xxxxx/CN=*.mydomain.com/emailAddress=[email protected]
    verify error:num=21:unable to verify the first certificate
    verify return:1
    Certificate chain
     0 s:/description=xxxxxxxxxxxx/C=AU/ST=xxxxxxxxxx/L=xxxxxxxx/O=xxxxxxx/CN=*.mydomain.com/emailAddress=[email protected]
       i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
    Server certificate
    -----END CERTIFICATE-----
    subject=/description=xxxxxxxxxx/C=AU/ST=xxxxxxxxx/L=xxxxxxx/O=xxxxxx/CN=*.mydomain.com/emailAddress=[email protected]
    issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
    No client certificate CA names sent
    SSL handshake has read 2831 bytes and written 342 bytes
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Compression: NONE
    Expansion: NONE
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID: xxxxxxxxxxxxxxxxxxxx
        Master-Key: xxxxxxxxxxxxxxxxxx
        Key-Arg   : None
        Start Time: 1351661960
        Timeout   : 300 (sec)
        Verify return code: 21 (unable to verify the first certificate)
    . OK Capability completed.

    at least, i'm assuming this is a failure???

  • Answers
  • Richard

    The problem is with openssl, not dovecot.

    There is a bug in openssl which stops it looking for the default CApath, so you need to tell it where to find the list of root CA certs by adding -CApath to your command line. For example:

    sudo openssl s_client -connect localhost:143 -starttls imap -CApath /dev/null 

    If you have not populated your certs folder yet and you are computer literate, then follow this tutorial to download certdata.txt from Mozilla and generate the necessary PEM files and symlinks. The scripts may need modifying if you do not have access to /bin and you will need to create a symlink ln -s ca-bundle.crt cert.pem.

    (Specifying /dev/null forces openssl to use the default path of cert.pem in your openssl directory. To find out where your openssl directory is, type openssl version -d).

    Since you are using StartSSL, you may need to concatenate your certificate and their intermediate certificate for dovecot, in your case StartCom Class 2 Primary Intermediate Server CA. Their free certificate uses StartCom Class 1 Primary Intermediate Server CA

  • Seasoned Advice (cooking)

    You may use verbose_ssl = yes in the dovecot configuration to produce additional logging output.

    In my configuration (dovecot 2.0) I use the following statements:

     ssl_cert = </etc/ssl/certs/mydomain.com.crt.20120904
     ssl_key = </etc/ssl/private/mydomain.com.key.20120904

  • Related Question

    Setting up IMAP/SSL on Ubuntu with Dovecot, Thunderbird, and a self-signed certificate
  • Savanni D'Gerinel

    I have a new server that I am setting up. It currently has a very limited audience (just me), but I am trying to set up IMAPSSL and secure SMTP. Since the audience is so limited, I have decided to not purchase a certificate, and instead am creating a self-signed key architecture.

    I used the instructions on https://help.ubuntu.com/community/OpenSSL for doing the setup. Then I installed the key on my server, mail.savannidgerinel.com. I told Thunderbird to include my certificate authority. Then, I try to connect to mail.savannidgerinel.com, imap (port 143), using starttls, and Thunderbird gets angry about the cert. It says...

    You are about to override how Thunderbird identifies this site.  Legitimate banks <blah blah blah>
    Location: mail.savannidgerinel.com:143
    Certificate Status
    This site attempts to identify itself with invalid information.
    *Wrong Site*
    Certificate belongs to a different site, which could indicate an identity theft.

    If I connect Thunderbird to port 993, instead, I get the same message (except the Location field is updated to reflect port 993).

    So... I tell it to view the certificate. Clear as day, exactly as I told it, it says the Common Name (CN) is mail.savannidgerinel.com. I can see no typos, no name mismatches, nothing except that the port number is different.

    If I use 'openssl s_client' to connect, I get a connection just fine, but openssl does complain a little about being unable to verify some certificates (I assume openssl just doesn't know where I've got my CA key squirreled away, but I'm not sure on that, either).

    What could be going wrong here? I've done a lot of searches, and never found this problem listed anywhere! So I am at a total loss on how to even begin diagnosing this.

  • Related Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.