Thank you Stephan, I'm wondering if I can read the track of the status of bug reports? Could you please advice? Thanks. Mizuki
On Sun, Dec 8, 2019 at 6:40 AM Stephan Bosch <step...@rename-it.nl> wrote: > > > On 06/12/2019 20:54, Aki Tuomi via dovecot wrote: > > Hi! > > > > It seems there is a bug in the oauth2 driver, it loads the cert files > wrong way. I'll make an internal bug report of this. > > Tracking as DOP-1590. > > Regards, > > Stephan. > > > >> On 06/12/2019 16:42 mizuki <mizuki0...@gmail.com> wrote: > >> > >> > >> Hi, > >> > >> For troubleshooting purposes, I change the read/write permissions on > the certs and confirmed 'dovecot' can read them w/o problem, but still > seeing the same errors. :( > >> Mizuki > >> > >> > >> On Fri, Dec 6, 2019 at 1:35 AM Aki Tuomi <aki.tu...@open-xchange.com> > wrote: > >>> > >>> Is the key/cert pair readable by dovecot user? auth process does not > run as root. > >>> > >>> > >>> > >>> > >>> You can add > >>> > >>> > >>> > >>> > >>> service auth { > >>> > >>> extra_groups = ssl_cert > >>> > >>> } > >>> > >>> > >>> > >>> > >>> and chgrp the cert to ssl_cert to allow access to the cert. > >>> > >>> > >>> > >>> > >>> Aki > >>> > >>>> On 06/12/2019 04:16 mizuki via dovecot <dovecot@dovecot.org> wrote: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> I changed some of the tls options following the document, now config > is following: > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> tokeninfo_url = > https://keycloak.com/auth/realms/mail/protocol/openid-connect/token > >>>> introspection_url = > https://dovecot:7598e21b-ec34-481f-80d0-059bddae0...@keycloak.com/auth/realms/demo/protocol/openid-connect/token/introspect > >>>> introspection_mode = post > >>>> debug = yes > >>>> rawlog_dir = /tmp/oauth2 > >>>> #force_introspection = yes > >>>> username_attribute = username > >>>> #active_attribute = active > >>>> #active_value = true > >>>> tls_ca_cert_file = /etc/pki/CA/certs/incommon-rsa-server-ca.crt > >>>> tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem > >>>> tls_key_file = /etc/pki/dovecot/private/dovecot.pem > >>>> > >>>> > >>>> --------------- > >>>> > >>>> > >>>> > >>>> > >>>> The debug log is showing now slightly different msg ex: > >>>> > >>>> Dec 5 21:09:59 mktst4 dovecot: auth: Error: > oauth2(mizuki,10.0.2.1,<29b4iv+YKuuCx5Tr>): oauth2 failed: Couldn't > initialize SSL context: Can't load SSL certificate: There is no valid PEM > certificate. > >>>> > >>>> > >>>> > >>>> > >>>> Still not able to connect to the keyclaok server. :( > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> PS: Dovecot & Keycloak severs are both using the same legit cert/key > pair with CA file configured. > >>>> > >>>> > >>>> > >>>> > >>>> Thanks! > >>>> > >>>> Mizuki > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> On Thu, Dec 5, 2019 at 3:06 PM Aki Tuomi < aki.tu...@open-xchange.com> > wrote: > >>>> > >>>> > >>>>> Before declaring it not ready for prime time, did you try setting > >>>>> > >>>>> tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > >>>>> > >>>>> In the oauth2 configuration file as documented in > https://doc.dovecot.org/configuration_manual/authentication/oauth2 ? > >>>>> > >>>>> Aki > >>>>> > >>>>>> On 05/12/2019 21:58 mizuki via dovecot < dovecot@dovecot.org> > wrote: > >>>>>> > >>>>>> > >>>>>> Hi all, > >>>>>> > >>>>>> We'd like to enable OAuth with Keycloak in Dovecot, after enabling > 'OAUTHBEARER XOAUTH2' in Dovecot based on online document, I can confirm > Dovecot is ready for OAuth using openssl command, however when the auth > request comes in, it failed in establishing a SSL connection with Keycloak > server on port 443, shown as following in debug logs. I can confirming > using commands 'openssl s_client -connect <keycloak_server>:443' or 'curl > -v https://<keycloak_server/' all returns normal and no errors. Altering > some of the SSL options in dovecot such as 'ssl_ca = > </etc/pki/CA/certs/root_ca.pem' or 'ssl_client_ca_file = > </etc/pki/CA/certs/root_ca.pem' does not help either. The certificate are > NOT self-signed but signed the legit authorities. So I'm not sure why > dovecot could not establish the connections. > >>>>>> > >