Torsdag 18 februar 2010 14:47:03 skrev Leonardo Rodrigues : > Hi, > > I have, in one customer, a web server running on a Verisign-signed > certificate SSL certificate. Everything works fine, IE and Firefox > connects on https without asking anything, which usually happens on > self-signed certificates. I'm trying to use that certificate on dovecot, > but clients (Thunderbird basically) keeps saying the certificate is not > valid. > > yes i'm using, when configuring Thunderbird, the same CN that was > signed by Verisign for the web usage > > i've enabled verbose_ssl and got when thunderbird tries to connect: > > Feb 18 12:32:02 correio dovecot: imap-login: Disconnected (no auth > attempts): rip=201.86.xxx.xxx, lip=192.168.1.2, TLS handshaking: > SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 > alert unknown ca > > unknown CA ??? > > is that Thunderbird that is not recognizing the Verisign-signed > certificate ? Do i need to, somehow, install some Verisign CA > certificate in dovecot.conf ? > > when using a self-signed certificate, i also get an SSL_accept > failed, but with different message: > > Feb 18 12:41:45 correio dovecot: imap-login: Disconnected (no auth > attempts): rip=201.86.191.114, lip=192.168.1.2, TLS handshaking: > SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 > alert bad certificate > > despite the fact my certificates were generated for use with > Apache, i can 'print' them, both of them, with the same commands i use > to print dovecot generated certificates, with mkcert.sh. So, it seems > they are compatible. > > if i click OK on Thunderbird, when using my Verisign-signed > certificates, everything works and i do got TLS logs: > > > Feb 18 12:23:36 correio dovecot: imap-login: Login: > user=<u...@domain.com.br>, method=PLAIN, rip=201.86.xx.xx, > lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) > Feb 18 12:31:43 correio dovecot: imap-login: Login: > user=<u...@domain.com.br>, method=PLAIN, rip=201.86.xx.xx, > lip=192.168.1.2, TLS, TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) > > > > what am i doing wrong ?? or using a signed-certificate for WEB > usage is not possible on dovecot ?
I'm using the same certificate for dovecot and https. My settings in dovecot.conf are; ssl_cert_file = /etc/ssl/certs/hostname.pem ssl_key_file = /etc/ssl/private/hostname.key This part from the user guide is very important if you received a "bundle / chain" of CA certificates from Verisign; Chained SSL certificates Put all the certificates in the ssl_cert_file file. For example when using a certificate signed by TDC the correct order is: 1. Dovecot's public certificate 2. TDC SSL Server CA 3. TDC Internet Root CA 4. Globalsign Partners CA Arne -- -------------------------------- Arne K. Haaje | www.drlinux.no T: 69 51 15 52 | M: 92 88 44 66 --------------------------------
