On 2015-09-21 09:28, Alex Bulan wrote:
The result is the same with or without "<" before the file path.  With
"<" the inode atime is updated at Dovecot startup, so the file is at
least opened, but Dovecot still can't verify the cert.

The only place in the Wiki that shows an example of ssl_client_ca_file
is on this page, and there's no "<" in front of the file path:

http://wiki2.dovecot.org/Replication

(quote)
The client must be able to verify that the SSL certificate is valid,
so you need to specify the directory containing valid SSL CA roots:

ssl_client_ca_dir = /etc/ssl/certs # Debian/Ubuntu
ssl_client_ca_file = /etc/pki/tls/cert.pem # RedHat
(end quote)

For replication only settings? I can only guess as i currently don't use proxy nor replication.

Haven't found much about proxying and ssl but found a configuration parameter ssl_ca = </path/to/file maybe that works...

http://wiki2.dovecot.org/SSL/DovecotConfiguration section Client certificate verification/authentication


On Mon, 21 Sep 2015, Christian Kivalo wrote:

Hi

I've pointed ssl_client_ca_file to my root certificate store, but I
suspect ssl_client_ca_file is only used in imapc context. It seems to
be ignored in proxy context.

doveconf -n ssl_client_ca_file:
ssl_client_ca_file = /usr/local/share/certs/ca-root-nss.crt

You are missing the "<" before the file path

Try ssl_client_ca_file = </usr/local/share/certs/ca-root-nss.crt

See http://wiki2.dovecot.org/SSL/DovecotConfiguration

Regards
Christian


- Christian

Reply via email to