Hi!
It seems there is a bug in the oauth2 driver, it loads the cert files wrong
way. I'll make an internal bug report of this.
Aki
> On 06/12/2019 16:42 mizuki <mizuki0...@gmail.com> wrote:
>
>
> Hi,
>
> For troubleshooting purposes, I change the read/write permissions on the
> certs and confirmed 'dovecot' can read them w/o problem, but still seeing the
> same errors. :(
> Mizuki
>
>
> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tu...@open-xchange.com> wrote:
> >
> > Is the key/cert pair readable by dovecot user? auth process does not run as
> > root.
> >
> >
> >
> >
> > You can add
> >
> >
> >
> >
> > service auth {
> >
> > extra_groups = ssl_cert
> >
> > }
> >
> >
> >
> >
> > and chgrp the cert to ssl_cert to allow access to the cert.
> >
> >
> >
> >
> > Aki
> >
> > > On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote:
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > I changed some of the tls options following the document, now config is
> > > following:
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > tokeninfo_url =
> > > https://keycloak.com/auth/realms/mail/protocol/openid-connect/token
> > > introspection_url =
> > > https://dovecot:7598e21b-ec34-481f-80d0-059bddae0...@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect
> > >
> > > introspection_mode = post
> > > debug = yes
> > > rawlog_dir = /tmp/oauth2
> > > #force_introspection = yes
> > > username_attribute = username
> > > #active_attribute = active
> > > #active_value = true
> > > tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt
> > > tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> > > tls_key_file = /etc/pki/dovecot/private/dovecot.pem
> > >
> > >
> > > ---------------
> > >
> > >
> > >
> > >
> > > The debug log is showing now slightly different msg ex:
> > >
> > > Dec 5 21:09:59 mktst4 dovecot: auth: Error:
> > > oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't
> > > initialize SSL context: Can't load SSL certificate: There is no valid PEM
> > > certificate.
> > >
> > >
> > >
> > >
> > > Still not able to connect to the keyclaok server. :(
> > >
> > >
> > >
> > >
> > >
> > > PS: Dovecot & Keycloak severs are both using the same legit cert/key pair
> > > with CA file configured.
> > >
> > >
> > >
> > >
> > > Thanks!
> > >
> > > Mizuki
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tu...@open-xchange.com>
> > > wrote:
> > >
> > >
> > > > Before declaring it not ready for prime time, did you try setting
> > > >
> > > > tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
> > > >
> > > > In the oauth2 configuration file as documented in
> > > > https://doc.dovecot.org/configuration_manual/authentication/oauth2 ?
> > > >
> > > > Aki
> > > >
> > > > > On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org> wrote:
> > > > >
> > > > >
> > > > > Hi all,
> > > > >
> > > > > We'd like to enable OAuth with Keycloak in Dovecot, after enabling
> > > > > 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can
> > > > > confirm Dovecot is ready for OAuth using openssl command, however
> > > > > when the auth request comes in, it failed in establishing a SSL
> > > > > connection with Keycloak server on port 443, shown as following in
> > > > > debug logs. I can confirming using commands 'openssl s_client
> > > > > -connect <keycloak_server>:443' or 'curl -v
> > > > > https://<keycloak_server/' all returns normal and no errors. Altering
> > > > > some of the SSL options in dovecot such as 'ssl_ca =
> > > > > </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file =
> > > > > </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate
> > > > > are NOT self-signed but signed the legit authorities. So I'm not sure
> > > > > why dovecot could not establish the connections.
> > > > >
> > > >
