> -----Original Message----- > From: Timothy Murphy > Sent: Tuesday, March 03, 2015 14:19 > > Greg Bailey wrote: > > >> I'm really just asking if I cannot just use what I take to be > >> the standard openssl certificate and key in /etc/pki/tls/ > >> Do I really have to create up a special cert for dovecot? I think at this point, I will say: Works for me. [root at node001 ~]# openssl x509 </etc/pki/dovecot/certs/dovecot.pem -----BEGIN CERTIFICATE----- MIIEwDCCA6igAwIBAgICATYwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCE1hcnlsYW5kMREwDwYDVQQKEwhwZGluYy51czEbMBkGA1UEAxMS UEQtSU5DLXB1YmxpYy1DQS0yMSAwHgYJKoZIhvcNAQkBFhFzZWN1cml0eUBwZGlu Yy51czAeFw0xNDEwMDMyMTI5MDVaFw0xNTEwMTgyMTI5MDVaMIGzMQswCQYDVQQG EwJVUzERMA8GA1UECBMITWFyeWxhbmQxDzANBgNVBAoTBlBEIEluYzEYMBYGA1UE CxMPTWFpbCBQcm9jZXNzaW5nMR0wGwYDVQQDFBQqLmltYXAubWFpbC5wZGluYy51 czElMCMGA1UEAxMcbm9kZTAwMS5tYWlsY2x1c3Rlci5wZGluYy51czEgMB4GCSqG SIb3DQEJARYRc2VjdXJpdHlAcGRpbmMudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQD1ZPjUv7LAwZiYoUUH30SEJQn+WepEB9myXlanHUhhjH9iixDu NlgFh2OgTzJDvf8JJ/AX9CTr2bZNfUvlWDRPbnCU4G439+8CKmJtHvM5kkcsLQZm Irv12rZP5fMwApGAJhNPLtgsPbHVQxWhNYDq/J4gJc/DuctgqoimHVC+VCmQf+V6 uQdh+a40S/+vvPiGd3HNxgzXh2Ya1G8hmCQpCbYgs9QY7yhYrKNL+wAAfP7NhRQL tf2JIPCK7063JrE4izc4eqVadRGdc1y+PP6eUQGRF1P66gXSt9QsxasZIhFZMXvI HyKWDoRsPVyUAd3j42eldCxWbBJxJydOxOHDAgMBAAGjggEcMIIBGDAJBgNVHRME AjAAMB0GA1UdDgQWBBRJ65N/YCR2VWMeAiTKMSqbBAXEPDCBsgYDVR0jBIGqMIGn gBSVjTqkwyfzfERrJL7Gy2OdnrUZA6GBi6SBiDCBhTEVMBMGA1UEAxMMUEQgSW5j LiAoQ0EpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxFzAVBgNVBAcT DkJhbHRpbW9yZSBDaXR5MREwDwYDVQQKEwhwZGluYy51czEgMB4GCSqGSIb3DQEJ ARYRc2VjdXJpdHlAcGRpbmMudXOCAQMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov L3BkLWluYy1wdWJsaWMtY2EtMi5jcmwucGRpbmMudXMwDQYJKoZIhvcNAQEFBQAD ggEBAEWOphbenf8miuAEoWSG6WRJ01DY2Ib8oUo5Dgngt7GualXwZOYUWhQwKRaw 4rZJBGu8kEVnRMa1B0FIWSMy+eq84IE+6KiSK7D44taWF5xx9MOggC5DQK9rORSj PPEjiJt03oKpGCJnWhMBR4w9eTQIDtojFvfDVv2RrNxRwYS10DlYUvhOlzZEcsfq XEkDOqIILiESVmYJftrhEBweBN2an+/CGy0DLep+6ovUsUieMieLcKIXeEFxHfuc f/kTlMX5edTGGYsW9fn7yyzDSuDpKKosj3MW9j2TK8mJGGrnhoJ58Izqw6yp0yrw 2lbOTUPZqMVzdubxI2DuSka1xK4= -----END CERTIFICATE----- [root at node001 ~]# Note the common name against the prompt's hostname. All of our enterprise users can connect on many different clients. > > > There's not really a "standard" SSL certificate. Perhaps you're > > referring to a "default" certificate used by the webserver? > > No. I should have said "standard locate". > I think both Fedora and CentOS create the folders > /etc/pki/tls/{certs,private}, > so I assume this means that certs and keys should be store there. > > > What I typically do is get a real, but free, SSL > certificate from some > > place like StartSSL (www.startssl.com), and then copy the key and > > certificate to the location that's specified for use by dovecot. > > My question exactly - is there any reason why one should not do that? > Or even more simply, give the locations /etc/pki/tls/{certs,private} > in /etc/dovecot/conf.d/10-ssl.conf ? Where you get or create your cert from is irrelevant. The error messages indicate a hostname mismatch among other issues, but I cannot help you if you don't provide the answers or data to help you. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.