I'm getting endless complaints about my dovecot cert, /etc/pki/dovecot/certs/dovecot.pem which I created years ago following the dovecot instructions.
Do I really have to use a separate cert and key for dovecot? Can I not use the "standard" cert in /etc/pki/tls/certs (and key) from CACert.org ?
-----Original Message----- From: Timothy Murphy Sent: Tuesday, March 03, 2015 9:55
I'm getting endless complaints about my dovecot cert,
Exact message please?
/etc/pki/dovecot/certs/dovecot.pem which I created years ago following the dovecot instructions.
Do I really have to use a separate cert and key for dovecot? Can I not use the "standard" cert in /etc/pki/tls/certs (and key) from CACert.org ?
Post the certificate only, not the private key. That is the part between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----". If you have a binary file, pipe it to 'openssl x509 -inform DER'
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Jason Pyeron wrote:
I'm getting endless complaints about my dovecot cert,
Exact message please?
The certificate does not apply to the given host The certificate is not signed by any trusted certificate authority
Do I really have to use a separate cert and key for dovecot? Can I not use the "standard" cert in /etc/pki/tls/certs (and key) from CACert.org ?
Post the certificate only, not the private key.
I've looked at the cert and key and they look ok for what they are, a self-signed certificate and key, as created (years ago) following the instructions in the dovecot installation instructions.
I'm really just asking if I cannot just use what I take to be the standard openssl certificate and key in /etc/pki/tls/ Do I really have to create up a special cert for dovecot?
Timothy Murphy wrote:
Jason Pyeron wrote:
I'm getting endless complaints about my dovecot cert,
Exact message please?
The certificate does not apply to the given host
This one indicates, I believe, that when you created the certs, you didn't use the hostname of the system that you're running now, or maybe that it wants either the FQDN, or the shortname, and it's finding the opposite.
The certificate is not signed by any trusted certificate authority
<snip> This one will always be there, since you're not a root c/a.
mark
On 03/03/2015 08:12 AM, Timothy Murphy wrote:
Jason Pyeron wrote:
I'm getting endless complaints about my dovecot cert,
Exact message please?
The certificate does not apply to the given host The certificate is not signed by any trusted certificate authority
Do I really have to use a separate cert and key for dovecot? Can I not use the "standard" cert in /etc/pki/tls/certs (and key) from CACert.org ?
Post the certificate only, not the private key.
I've looked at the cert and key and they look ok for what they are, a self-signed certificate and key, as created (years ago) following the instructions in the dovecot installation instructions.
I'm really just asking if I cannot just use what I take to be the standard openssl certificate and key in /etc/pki/tls/ Do I really have to create up a special cert for dovecot?
There's not really a "standard" SSL certificate. Perhaps you're referring to a "default" certificate used by the webserver?
What I typically do is get a real, but free, SSL certificate from some place like StartSSL (www.startssl.com), and then copy the key and certificate to the location that's specified for use by dovecot. That way, both httpd and dovecot are using the same certificate (although it's stored in 2 different locations).
The other thing to consider with dovecot (if you go with a third-party certificate) is that you may need to append the intermediate certificate to your server-specific certificate to properly establish the chain of trust for clients attempting to verify it.
-Greg
Greg Bailey wrote:
I'm really just asking if I cannot just use what I take to be the standard openssl certificate and key in /etc/pki/tls/ Do I really have to create up a special cert for dovecot?
There's not really a "standard" SSL certificate. Perhaps you're referring to a "default" certificate used by the webserver?
No. I should have said "standard locate". I think both Fedora and CentOS create the folders /etc/pki/tls/{certs,private}, so I assume this means that certs and keys should be store there.
What I typically do is get a real, but free, SSL certificate from some place like StartSSL (www.startssl.com), and then copy the key and certificate to the location that's specified for use by dovecot.
My question exactly - is there any reason why one should not do that? Or even more simply, give the locations /etc/pki/tls/{certs,private} in /etc/dovecot/conf.d/10-ssl.conf ?
-----Original Message----- From: Timothy Murphy Sent: Tuesday, March 03, 2015 14:19
Greg Bailey wrote:
I'm really just asking if I cannot just use what I take to be the standard openssl certificate and key in /etc/pki/tls/ Do I really have to create up a special cert for dovecot?
I think at this point, I will say: Works for me.
[root@node001 ~]# openssl x509 </etc/pki/dovecot/certs/dovecot.pem -----BEGIN CERTIFICATE----- MIIEwDCCA6igAwIBAgICATYwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCE1hcnlsYW5kMREwDwYDVQQKEwhwZGluYy51czEbMBkGA1UEAxMS UEQtSU5DLXB1YmxpYy1DQS0yMSAwHgYJKoZIhvcNAQkBFhFzZWN1cml0eUBwZGlu Yy51czAeFw0xNDEwMDMyMTI5MDVaFw0xNTEwMTgyMTI5MDVaMIGzMQswCQYDVQQG EwJVUzERMA8GA1UECBMITWFyeWxhbmQxDzANBgNVBAoTBlBEIEluYzEYMBYGA1UE CxMPTWFpbCBQcm9jZXNzaW5nMR0wGwYDVQQDFBQqLmltYXAubWFpbC5wZGluYy51 czElMCMGA1UEAxMcbm9kZTAwMS5tYWlsY2x1c3Rlci5wZGluYy51czEgMB4GCSqG SIb3DQEJARYRc2VjdXJpdHlAcGRpbmMudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQD1ZPjUv7LAwZiYoUUH30SEJQn+WepEB9myXlanHUhhjH9iixDu NlgFh2OgTzJDvf8JJ/AX9CTr2bZNfUvlWDRPbnCU4G439+8CKmJtHvM5kkcsLQZm Irv12rZP5fMwApGAJhNPLtgsPbHVQxWhNYDq/J4gJc/DuctgqoimHVC+VCmQf+V6 uQdh+a40S/+vvPiGd3HNxgzXh2Ya1G8hmCQpCbYgs9QY7yhYrKNL+wAAfP7NhRQL tf2JIPCK7063JrE4izc4eqVadRGdc1y+PP6eUQGRF1P66gXSt9QsxasZIhFZMXvI HyKWDoRsPVyUAd3j42eldCxWbBJxJydOxOHDAgMBAAGjggEcMIIBGDAJBgNVHRME AjAAMB0GA1UdDgQWBBRJ65N/YCR2VWMeAiTKMSqbBAXEPDCBsgYDVR0jBIGqMIGn gBSVjTqkwyfzfERrJL7Gy2OdnrUZA6GBi6SBiDCBhTEVMBMGA1UEAxMMUEQgSW5j LiAoQ0EpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxFzAVBgNVBAcT DkJhbHRpbW9yZSBDaXR5MREwDwYDVQQKEwhwZGluYy51czEgMB4GCSqGSIb3DQEJ ARYRc2VjdXJpdHlAcGRpbmMudXOCAQMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov L3BkLWluYy1wdWJsaWMtY2EtMi5jcmwucGRpbmMudXMwDQYJKoZIhvcNAQEFBQAD ggEBAEWOphbenf8miuAEoWSG6WRJ01DY2Ib8oUo5Dgngt7GualXwZOYUWhQwKRaw 4rZJBGu8kEVnRMa1B0FIWSMy+eq84IE+6KiSK7D44taWF5xx9MOggC5DQK9rORSj PPEjiJt03oKpGCJnWhMBR4w9eTQIDtojFvfDVv2RrNxRwYS10DlYUvhOlzZEcsfq XEkDOqIILiESVmYJftrhEBweBN2an+/CGy0DLep+6ovUsUieMieLcKIXeEFxHfuc f/kTlMX5edTGGYsW9fn7yyzDSuDpKKosj3MW9j2TK8mJGGrnhoJ58Izqw6yp0yrw 2lbOTUPZqMVzdubxI2DuSka1xK4= -----END CERTIFICATE----- [root@node001 ~]#
Note the common name against the prompt's hostname.
All of our enterprise users can connect on many different clients.
There's not really a "standard" SSL certificate. Perhaps you're referring to a "default" certificate used by the webserver?
No. I should have said "standard locate". I think both Fedora and CentOS create the folders /etc/pki/tls/{certs,private}, so I assume this means that certs and keys should be store there.
What I typically do is get a real, but free, SSL
certificate from some
place like StartSSL (www.startssl.com), and then copy the key and certificate to the location that's specified for use by dovecot.
My question exactly - is there any reason why one should not do that? Or even more simply, give the locations /etc/pki/tls/{certs,private} in /etc/dovecot/conf.d/10-ssl.conf ?
Where you get or create your cert from is irrelevant.
The error messages indicate a hostname mismatch among other issues, but I cannot help you if you don't provide the answers or data to help you.
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
-----Original Message----- From: Timothy Murphy Sent: Tuesday, March 03, 2015 10:13
Jason Pyeron wrote:
I'm getting endless complaints about my dovecot cert,
Exact message please?
The certificate does not apply to the given host
So lets deal with this first.
What is the hostname?
What is the subject of the certificate [hint, I asked for the cert to be posted last time]?
The certificate is not signed by any trusted certificate authority
We will address this after we get more data on the problem.
Do I really have to use a separate cert and key for dovecot? Can I not use the "standard" cert in /etc/pki/tls/certs (and key) from CACert.org ?
Post the certificate only, not the private key.
Like this: openssl x509 < /etc/pki/dovecot/certs/dovecot.pem
I've looked at the cert and key and they look ok for what they are, a self-signed certificate and key, as created (years ago) following the instructions in the dovecot installation instructions.
I'm really just asking if I cannot just use what I take to be the standard openssl certificate and key in /etc/pki/tls/ Do I really have to create up a special cert for dovecot?
It depends on what you mean by special and was it done properly the first time.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Jason Pyeron wrote:
I'm really just asking if I cannot just use what I take to be the standard openssl certificate and key in /etc/pki/tls/ Do I really have to create up a special cert for dovecot?
It depends on what you mean by special and was it done properly the first time.
The cert and key in /etc/pki/tls seem to work perfectly well. My impression is that this is the standard place for CentOS and Fedora certs. IIRC, installation guides for both suggest this for certs and keys.
Most Fedora applications that require authentication also seem to refer to this folder.
My question is simply: Does one require a separate cert for dovecot?
On 03/04/2015 08:12 AM, Timothy Murphy wrote:
My question is simply: Does one require a separate cert for dovecot?
Dovecot does not care if you use the same cert for other applications.
Your question is missing the point, others are trying to tell you that the real issue is that the cert was not created properly for the hostname that the IMAP clients are connecting to. This has nothing to do with sharing the certificate with other applications.
I use the same cert for dovecot, postfix and apache. They are all individually happy with this single cert, but they all use the same hostname to connect (mail.example.com) and so can have the same commonname.
Peter
Peter wrote:
On 03/04/2015 08:12 AM, Timothy Murphy wrote:
My question is simply: Does one require a separate cert for dovecot?
Dovecot does not care if you use the same cert for other applications.
Thank you, that was my question.
Your question is missing the point, others are trying to tell you that the real issue is that the cert was not created properly for the hostname that the IMAP clients are connecting to. This has nothing to do with sharing the certificate with other applications.
I don't really care what is wrong with it, if I can do without it. I'm using the /etc/pki/tls/ cert and key in dovecot now, and they seem to work fine.
Incidentally, I created the /etc/pki/dovecot/ cert and key years ago, and never got this flood of warning messages until recently.
If in fact it is unnecessary to create a special cert and key for dovecot it seems to me remiss not to say this in the dovecot installation doc.
-
Greg Bailey -
Jason Pyeron -
m.roth@5-cent.us -
Peter -
Timothy Murphy