0

I am using dovecot (1) and trying to get my StartSSL certificate running.

ssl_key_file points to my private key

I tried pointing ssl_cert_file to my public key, with and without using the class1 certificate from http://www.startssl.com/certs/sub.class1.server.ca.pem as ssl_ca_file aswell as combing them with cat publickey sub.class1.server.ca.pem > chained

My mail client keeps telling me the certificate has no issuer, but doing openssl x509 on my public certificate tells me it is C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA

My option for the CSR were: openssl req -new -newkey rsa:4096 -nodes

Dovecot's log doesn't mention any problems.

EDIT: Doesn't seem to be a problem with dovecot. I am having the same problem with postfix. openssl verify gives me the same error.

Improve this question

2 Answers 2

Reset to default
1

What error message does the 'openssl verify' return?

It may be the case the applications don't trust the Cert Issuer and need the list of trusted certs.

Try downloading this file http://www.startssl.com/certs/ca-bundle.pem and running 'openssl verify -CAfile ca-bundle.pem mycert.pem' where mycert.pem is your cert.

For eg : % openssl verify -CAfile ca-bundle.pem sub.class1.server.ca.pem sub.class1.server.ca.pem: OK

Improve this answer
3
  • Okay, that works. How can I tell dovecot about this. On the wiki and various guides I read about chaining. And in fact I have been using a CaCert.org earlier and chaining (cat'ing them together) wasn't a problem, but somehow this doesn't seem to work or I simply miss something. I read about the differences between dovecot 1 and 2, but it didn't work whatever way I tried. Commented May 16, 2011 at 10:32
  • 1
    I can't get dovecot to use the CAFile. I am using debian. There are StartCom ca file in /etc/ssl/certs. I also tried to chain them and while they are detected I still receive: "verify error:num=19:self signed certificate in certificate chain" Commented Jun 28, 2011 at 10:31
  • 1
    "cat server.pem chain.pem > file.pem" whould create the recommanded file Commented Aug 21, 2013 at 14:12
0

I have using the following config without any problem

/etc/dovecot/conf.d/10-ssl.conf

ssl = yes ssl_cert = </etc/pki/dovecot/mail.example.net.pem ssl_key = </etc/pki/dovecot/mail.example.net.key

the /etc/pki/dovecot/mail.example.net.pem consists from 3 parts:

server certificate startssl Class 1 Intermediate Server CA StartCom Root CA (PEM encoded)

Note: the order is important

# openssl s_client -connect mail.example.net:995 CONNECTED(00000003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 description = G4V86y34KxXe0qbQ, C = US, CN = mail.example.net, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/[email protected] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIHWzCCBkOgAwIBAgIDDlbeMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwMjA0MTk1MTM5 WhcNMTUwMjA1MTU1NjMxWjBrMRkwFwYDVQQNExBHNFY4NnkzNEt4WGUwcWJRMQsw CQYDVQQGEwJVQTEaMBgGA1UEAxMRbWFpbC5wc2QyaHRtbC5jb20xJTAjBgkqhkiG 9w0BCQEWFndlYm1hc3RlckBwc2QyaHRtbC5jb20wggIiMA0GCSqGSIb3DQEBAQUA A4ICDwAwggIKAoICAQDVkP78cio2lOLYgR4b0AL23UXRfqsfxq5SV3UQc/MCs6dH +KjoXsGfmb625UHIlwDyXHNcWRk77W6rjoMNuT16IQaYcgeO3bFGtcZkMBGcQ3ur XVn4lv0N1VcCInxeLS/gp7Af8uKHm8mQzLYgiNUIuoExlQUa9YGOKZO8mT+HV9uT GGrJly6qhWEG7fmua3+s9muKIk1rVPFNrmpZNZ3r0LFleQyDQHdzF9KIlQSHFlGt pXVSfmEDVzEhMpE+8fwC2tfl/yfKj4O7UTkx+9Tve3S/6yVdRDIfke2DGTbukj9P FwCvSFEbfstLOjc6l6R8Akcfc7zuzZDnyBOJt4Z0rXyVhrV02Mcy5/eOvCgzoq3U e/FSDj0NYwv4bzBFxdVzDtmhYg/PO1vzsr4wn+avUnJJCQ0OfbZobjx8AjrxnwID RRcKIrXvDnYUFWh9hyoEFbzzgFuj4CMO7YY8FPzbDDhCjcCQp/4xJ7f0zdxRyjuJ AhJqaKs/Mmi5vZ6D/+Cu1vng/h9W9787A/rT4TynCvrVvfTWNAfnAlk2GuIJbHeU uMnYqdNGvVdVHfTWescXqWx/ko33m33ceoCcxDMElHoeLPSk7WJvydm9HWXvGmBB QJRwC3yXaFJLx7+cxd/hd8dMXBJ5My2Uhw+GTw4Mrr4seRO7oNVhNqhJBbqjmPvL AQABo4IC5DCCAuAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYI ggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3Rh cnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29t IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRl IHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24g KwYBBQUHAwEwHQYDVR0OBBYEFAYlHZwthNBwmurY7KHmBkNdS19JMB8GA1UdIwQY MBaAFOtCNNCYsKuf9BtrCPfMZC7vDixFMCoGA1UdEQQjMCGCEW1haWwucHNkMmh0 bWwuY29tggxwc2QyaHRtbC5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEw cmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNl IG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2Yg dGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaG JGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUH AQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1 Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0 c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBww GoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBa 16IYi1LGaOmogKbTIVIdwrP1kWN8ZfQdTBKgPgJeE8u+uvR4lExzIffN9LairKC2 waqZa7RfLakZkLKoJ6/kcGvXoXfNUUSQ3M3AVcxchYQ/pmh5KzxTkIE9xX5jDjd8 B+B2uV/X8Gc2/q2ortr4DVUBBV8pCmS18bSGGZL4IvvDw0iLop27TfcrhbZEwEL0 5y+T/pvvFbGmVDEXiw9EXQJ1vjosnQEfxsPEU3NGD4I4BOXedvzzKmDV3Dny+vEN 40thwakbj81rZc4ppYYX6mra207vjaattvFE9FCioW4YVgxV+mGGvirt2qMUsE1l XN0tJonIy/lLUDZupgTx -----END CERTIFICATE----- subject=/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/[email protected] issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA --- No client certificate CA names sent --- SSL handshake has read 6429 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 251FC9E94633EC3A79E17802493B117BD4F04ABD0C3499DB414A764CA6EAA9AF Session-ID-ctx: Master-Key: E86A31072A0CB5288CA6C01AE174D8B72AC6F5B377E4245B06604354BB968EA0AFF199F823F5EFD919B7E2F0F6F3D7C0 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 66 5c 5d 0d 71 f9 0a c3-fc 3f 26 2f 04 61 02 7e f\].q....?&/.a.~ 0010 - e1 ec b8 a2 9e cb 4e e1-d9 20 41 0f 30 3e f8 2a ......N.. A.0>.* 0020 - a9 9f 36 3e 92 1a 9d 06-8f fc e9 69 ad 98 a3 21 ..6>.......i...! 0030 - 80 bf 54 e0 36 54 f8 ab-cf 93 97 39 66 99 db d1 ..T.6T.....9f... 0040 - b9 c1 10 64 bc e5 e0 ef-0a d2 cf be 08 f9 4d a3 ...d..........M. 0050 - 82 0c 2f 42 c1 c2 26 b8-7d 19 01 30 ce f0 76 de ../B..&.}..0..v. 0060 - 1b a1 53 9c b3 d4 61 21-95 94 85 4a 9f c7 3f 5a ..S...a!...J..?Z 0070 - 7e c1 2b cf fd 98 08 bf-ac 6c ca e4 95 ba d0 60 ~.+......l.....` 0080 - 4c cf 95 ec ed d9 01 41-00 0c 2c de 3c da 9d 2e L......A..,.<... 0090 - 71 4b b9 5b 31 d1 f6 47-bd 92 71 3d 5f 9a 11 ca qK.[1..G..q=_... Start Time: 1393762729 Timeout : 300 (sec) Verify return code: 0 (ok) --- +OK Dovecot ready. quit +OK Logging out closed
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.