Great, thank you so much Aki! Please let me know when the fix is available and I will help test in our environment. We'd really like to enable this feature. Thanks again. Mizuki
On Fri, Dec 6, 2019 at 2:54 PM Aki Tuomi <aki.tu...@open-xchange.com> wrote: > Hi! > > It seems there is a bug in the oauth2 driver, it loads the cert files > wrong way. I'll make an internal bug report of this. > > Aki > > > On 06/12/2019 16:42 mizuki <mizuki0...@gmail.com> wrote: > > > > > > Hi, > > > > For troubleshooting purposes, I change the read/write permissions on the > certs and confirmed 'dovecot' can read them w/o problem, but still seeing > the same errors. :( > > Mizuki > > > > > > On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tu...@open-xchange.com> > wrote: > > > > > > Is the key/cert pair readable by dovecot user? auth process does not > run as root. > > > > > > > > > > > > > > > You can add > > > > > > > > > > > > > > > service auth { > > > > > > extra_groups = ssl_cert > > > > > > } > > > > > > > > > > > > > > > and chgrp the cert to ssl_cert to allow access to the cert. > > > > > > > > > > > > > > > Aki > > > > > > > On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > I changed some of the tls options following the document, now config > is following: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > tokeninfo_url = > https://keycloak.com/auth/realms/mail/protocol/openid-connect/token > > > > introspection_url = > https://dovecot:7598e21b-ec34-481f-80d0-059bddae0...@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect > > > > introspection_mode = post > > > > debug = yes > > > > rawlog_dir = /tmp/oauth2 > > > > #force_introspection = yes > > > > username_attribute = username > > > > #active_attribute = active > > > > #active_value = true > > > > tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt > > > > tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > > > > tls_key_file = /etc/pki/dovecot/private/dovecot.pem > > > > > > > > > > > > --------------- > > > > > > > > > > > > > > > > > > > > The debug log is showing now slightly different msg ex: > > > > > > > > Dec 5 21:09:59 mktst4 dovecot: auth: Error: > oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't > initialize SSL context: Can't load SSL certificate: There is no valid PEM > certificate. > > > > > > > > > > > > > > > > > > > > Still not able to connect to the keyclaok server. :( > > > > > > > > > > > > > > > > > > > > > > > > PS: Dovecot & Keycloak severs are both using the same legit cert/key > pair with CA file configured. > > > > > > > > > > > > > > > > > > > > Thanks! > > > > > > > > Mizuki > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < > aki.tu...@open-xchange.com> wrote: > > > > > > > > > > > > > Before declaring it not ready for prime time, did you try setting > > > > > > > > > > tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > > > > > > > > > > In the oauth2 configuration file as documented in > https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? > > > > > > > > > > Aki > > > > > > > > > > > On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org> > wrote: > > > > > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > We'd like to enable OAuth with Keycloak in Dovecot, after > enabling 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can > confirm Dovecot is ready for OAuth using openssl command, however when the > auth request comes in, it failed in establishing a SSL connection with > Keycloak server on port 443, shown as following in debug logs. I can > confirming using commands 'openssl s_client -connect <keycloak_server>:443' > or 'curl -v https://<keycloak_server/' all returns normal and no errors. > Altering some of the SSL options in dovecot such as 'ssl_ca = > </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = > </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are > NOT self-signed but signed the legit authorities. So I'm not sure why > dovecot could not establish the connections. > > > > > > > > > > > >