On 12/3/2010 12:46 AM, Tim Traver wrote:
Timo,
ok, I have more info from your suggestion to use the openssl test client
connect.
I do have about a dozen more configs on different IP's, and they seem to
work. I just didn't include them.
I get the following error when trying to connect to that IP :
[r...@mta2]# openssl s_client -connect 209.132.xx.4:993
CONNECTED(00000003)
28579:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:188:
which basically says its an SSL handshake error. I did have the
verbose_ssl log directive on, and didn't see anything in the dovecot log
about the handshake failing. The strange thing is that this cert is used
for apache https as well, and there are no issues with the handshake in
apache...
I guess I will go and make sure the chain and CA certs are the proper
ones from godaddy. I hate chain certs...
Good plan. I had a similar problem getting fetchmail to connect to
godaddy-cert'ed servers when the certificate chain verification failed
because the CA root cert was not present on my client.
To find it, I had to export from the Windows default certstore to get
a copy. It did not identify itself very well, the OU was "ValiCert
Class 2 Policy Validation Authority" but it appeared in the certmgr
gui only as "http://www.valicert.com"; (under 3rd party root certs).
I believe the same one is in the Firefox certstore though, you can
probably find it there.
So, I guess I'm not sure if it is dovecot or not yet, although it is
kind of strange that nothing is written in the logs about the handshake
failing.
Tim.
On 12/2/2010 8:47 PM, Timo Sirainen wrote:
On 3.12.2010, at 2.15, Tim Traver wrote:
local 209.132.xx.4 {
ssl_cert =</shared/templates/res/1040/certs/*.xxxxx.com.crt-pem-298
ssl_key =</shared/templates/res/1040/certs/*.xxxxx.com.key-298
}
I have several of these, and there appears to be a problem with one in
particular that is dropping connections, and I'm not sure why.
Your doveconf output has two and here you say several. So are there multiple
ones that work or only one?
This particular one drops the connection when I try to connect to IMAP
using TLS on port 143, or using the IMAP SSL port of 993. When I try it
using Thunderbird, I am using the default settings for both tests.
Test with openssl s_client -connect localhost:993
The Thunderbird error I get is "The server has disconnected. The server
may have gone down or there may be a network problem." I don't see any
errors in the dovecot error log or the system error log, and when using
doveadm who to view the current connections, it does not show a
connection. I tried enabling the logs for SSL errors, but nothing
appears for my IP when attempting to connect.
Set verbose_ssl=yes to log more stuff about SSL.
But, I don't know how that would make a difference since one of the
separated IP's works with its cert, and the other one disconnects.
Would be easiest if you could test with a simple setup where there is only a
single SSL cert. Then it would be clear if the problem has to do with SSL cert
itself or about the per-IP settings.
If it has to do with SSL cert, you could also try if you can connect with
s_client to openssl s_server running with that cert.
