> On 22/02/2021 00:43 Stephan Mending <l...@md5collisions.eu> wrote:
>
>
> Hi *,
> I've setup two dovecot instances.
> As soon as i send the syncing part of dovecot to work I see the following
> errors in my maillogs.
>
> $ cat /var/log/mail.log
> doveadm(inbox@sec-level.domain): Error: doveadm server disconnected before
> handshake: SSL certificate doesn't match expected host name fqdn.of.system:
> No match to 1 SubjectAltNames
> doveadm(inbox@sec-level.domain): Error: Disconnected from remote: SSL
> certificate doesn't match expected host name fqdn.of.system: No match to 1
> SubjectAltNames
>
> A little context: The certificates on the servers are issued by a private CA.
> The public CA-Certificate has been added to the keystore, though. Shouldn't
> be a problem.
> I can confirm that by connecting using s_client ->
>
> $ openssl s_client -connect <hostname-of-dovecot-A>:12345
> ..
> ...
> ....
>
> Verify return code: 0 (ok)
>
> So far the certificate seems to be ok.
> **BUT**: As soon as i start dovecot (on the very same machine I issued the
> s_client command above) ... I am receiving the error messages:
>
> doveadm(inbox@sec-level.domain): Error: doveadm server disconnected before
> handshake: SSL certificate doesn't match expected host name fqdn.of.system:
> No match to 1 SubjectAltNames
> doveadm(inbox@sec-level.domain): Error: Disconnected from remote: SSL
> certificate doesn't match expected host name fqdn.of.system: No match to 1
> SubjectAltNames
>
> And yes the SubjectAlternativeName in the certificate matches the configured
> FQDN in 30-dsync.conf.
>
> My 30-dsync.conf:
>
> $ cat /etc/dovecot/conf.d/30-dsync.conf
>
> service aggregator {
> fifo_listener replication-notify-fifo {
> user = dovecot
> mode = 0666
> }
> unix_listener replication-notify {
> user = dovecot
> mode = 0666
> }
> }
>
> # Configuring the replicator service
> service replicator {
> process_min_avail = 1
> unix_listener replicator-doveadm {
> user = dovecot
> mode = 0666
> }
> }
> service doveadm {
> user = dovecot
> inet_listener {
> port = 12345
> ssl = yes
> }
> }
>
> doveadm_port = 12345
> doveadm_password = <password>
> replication_max_conns = 1
>
> plugin {
> mail_replica = tcps:fqdn.of.system
> }
>
> service config {
> unix_listener config {
> user = dovecot
> }
> }
>
>
> I'd love to here the answer to this.
>
> Thanks alot !
>
> Best regards,
> Stephan
The certificate provided does not match. You can use
openssl s_client -connect host:port -verify_hostname fqdn.of.system
to see if it matches, somewhere in the output should be
SSL handshake has read 3086 bytes and written 378 bytes
Verification: OK
Verified peername: fqdn.of.system
If it does match, try
openssl x509 -text -noout -in /path/to/cert
to see what the name(s) are.
Aki
