Have you specified the path to ca-certificates? On Debian it's normally something like that
#10-ssl.conf ssl_client_ca_dir = /etc/ssl/certs see http://wiki.dovecot.org/Replication#SSL Am 10.11.2016 um 16:09 schrieb nerbr...@free.fr: > Hello, > > I'm using dovecot 2.2.13 on Debian stable. > My users are authenticated through PAM, and stored in an LDAP backend > I'm trying to set-up replication with ssl, following (mainly) this : > http://wiki2.dovecot.org/Replication > > 1) I only diverted from the instructed setup by not setting "doveadm_port = > 12345", as it would give me errors of the like: >> Fatal: /var/run/dovecot/auth-userdb: Configured passdbs don't support >> crentials lookups (to see if user is proxied, because doveadm_port is set) > but rather specifying the port in the mail_replica setting : "mail_replica = > tcps:my.domain.com:1465" > (following a mail from here : > http://www.dovecot.org/list/dovecot/2016-September/105356.html) > So far, this seems to be working for me. > > 2) However, I'm having ssl problems. I have a let's encrypt certificate, and > have concatened the CA cert and my server cert in a fullchain.pem. > Excerpt from my ssl config : >> ssl = yes >> ssl_cert = </etc/letsencrypt/live/my.domain.com/fullchain.pem >> ssl_key = </etc/letsencrypt/live/my.domain.comi/privkey.pem > > doveadm return me these errors (sudo -u dovecot doveadm -v sync -u user > tcps:my.domain.com:12345) : >> doveadm(casoli): Info: Received invalid SSL certificate: unable to get local >> issuer certificate: /CN=my.domain.com >> doveadm(casoli): Error: doveadm server disconnected before handshake: >> Received invalid SSL certificate: unable to get local issuer certificate: >> /CN=my.domain.com >> doveadm(casoli): Fatal: Disconnected from remote: Received invalid SSL >> certificate: unable to get local issuer certificate: /CN=my.domain.com > > Which I can reproduce with openssl (openssl s_client -showcerts -CApath > /etc/ssl/certs -connect my.domain.com:12345) : >> (...) >> Verify return code: 21 (unable to verify the first certificate) > Indeed, in this case, dovecot only returns the local part of the certificate > (my.domain.com), and not the full chain (with the intermediate CA). > > While testing regular IMAPS with openssl is ok (openssl s_client -showcerts > -CApath /etc/ssl/certs -connect my.domain.com:993) >> (...) >> Verify return code: 0 (ok) > And I can see the full chain. > > > So, it's seems to me that doveadm is somehow wrongly serving my certificate, > truncating it, but I can't see why, and if this is a misconfiguratin on my > part. > I can post more config files or message outputs if needed, I kept them > redacted here for the sake of brevity. > > Regards, > N >
