Re: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
@m...@f1-outsourcing.eu No, the private CA certificate was not present there as I thought that its presence in the bundle pointed to by was enough. Anyway, placing it in /etc/ssl/certs and restarting dovecot does not change anything for the client, as expected. On Tue, Aug 9, 2022 at 10:09 AM jean-christophe manciot wrote: > > @m...@f1-outsourcing.eu > No, the private CA certificate was not present there as I thought that > its presence in the bundle pointed to by was enough. > Anyway, placing it in /etc/ssl/certs and restarting dovecot does not > change anything for the client, as expected. > > On Mon, Aug 8, 2022 at 9:28 PM Marc wrote: > > > > Have you added your root CA to where the rest of the ca certs are stored on > > your distribution? > > > > > > > > > > I forgot to say that this mail server has been working perfectly for > > > many years (but without client certificates). > > > > > > On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot > > > wrote: > > > > > > > > @build+dove...@de-korte.org > > > > > > > > ssl_ca = > > > contains actually the private CA certificate bundled with the > > > > private CA CRL. > > > > > > > > ssl_cert = > > > contains the public server certificate bundled with Let's > > > > encrypt CA X3 cross-signed certificate. > > > > > > > > Maybe the latter should rather contain the root and intermediate > > > certificates. > > > > > > > > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte > > > > wrote: > > > > > > > > > > Citeren jean-christophe manciot : > > > > > > > > > > > Hi everyone, > > > > > > > > > > > > I'm trying to setup dovecot to accept only client certificates > > > created > > > > > > with a private CA: > > > > > > auth_ssl_require_client_cert = yes > > > > > > ssl_verify_client_cert = yes > > > > > > ssl_ca = > > > > > > > > > This is wrong, you should enter your private CA here. If > > > > > 'ssl_verify_client_cert' is not set to 'yes', this field should > > > > > generally be empty / not configured. > > > > > > > > > > > At the same time, dovecot is setup with an SSL certificate created > > > by > > > > > > a public CA (let's encrypt): > > > > > > ssl = required > > > > > > ssl_cert = > > > > > ssl_key = > > > > > > > > > > > When I try to connect to the server with a client (evolution), I > > > get a > > > > > > connection error: > > > > > > "Client did not present valid SSL certificate" except that it is > > > valid. > > > > > > > > > > > > As you probably already know, let's encrypt does not create client > > > > > > certificates. > > > > > > It seems that using a different CA for client certificates and for > > > the > > > > > > server certificate is unsupported. > > > > > > > > > > > > Am I missing something? > > > > -- > Jean-Christophe -- Jean-Christophe
RE: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
Have you added your root CA to where the rest of the ca certs are stored on your distribution? > > I forgot to say that this mail server has been working perfectly for > many years (but without client certificates). > > On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot > wrote: > > > > @build+dove...@de-korte.org > > > > ssl_ca = > contains actually the private CA certificate bundled with the > > private CA CRL. > > > > ssl_cert = > contains the public server certificate bundled with Let's > > encrypt CA X3 cross-signed certificate. > > > > Maybe the latter should rather contain the root and intermediate > certificates. > > > > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte > > wrote: > > > > > > Citeren jean-christophe manciot : > > > > > > > Hi everyone, > > > > > > > > I'm trying to setup dovecot to accept only client certificates > created > > > > with a private CA: > > > > auth_ssl_require_client_cert = yes > > > > ssl_verify_client_cert = yes > > > > ssl_ca = > > > > > This is wrong, you should enter your private CA here. If > > > 'ssl_verify_client_cert' is not set to 'yes', this field should > > > generally be empty / not configured. > > > > > > > At the same time, dovecot is setup with an SSL certificate created > by > > > > a public CA (let's encrypt): > > > > ssl = required > > > > ssl_cert = > > > ssl_key = > > > > > > > When I try to connect to the server with a client (evolution), I > get a > > > > connection error: > > > > "Client did not present valid SSL certificate" except that it is > valid. > > > > > > > > As you probably already know, let's encrypt does not create client > > > > certificates. > > > > It seems that using a different CA for client certificates and for > the > > > > server certificate is unsupported. > > > > > > > > Am I missing something?
Re: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
I forgot to say that this mail server has been working perfectly for many years (but without client certificates). On Mon, Aug 8, 2022 at 6:42 PM jean-christophe manciot wrote: > > @build+dove...@de-korte.org > > ssl_ca = contains actually the private CA certificate bundled with the > private CA CRL. > > ssl_cert = contains the public server certificate bundled with Let's > encrypt CA X3 cross-signed certificate. > > Maybe the latter should rather contain the root and intermediate certificates. > > On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte > wrote: > > > > Citeren jean-christophe manciot : > > > > > Hi everyone, > > > > > > I'm trying to setup dovecot to accept only client certificates created > > > with a private CA: > > > auth_ssl_require_client_cert = yes > > > ssl_verify_client_cert = yes > > > ssl_ca = > > > This is wrong, you should enter your private CA here. If > > 'ssl_verify_client_cert' is not set to 'yes', this field should > > generally be empty / not configured. > > > > > At the same time, dovecot is setup with an SSL certificate created by > > > a public CA (let's encrypt): > > > ssl = required > > > ssl_cert = > > ssl_key = > > > > > When I try to connect to the server with a client (evolution), I get a > > > connection error: > > > "Client did not present valid SSL certificate" except that it is valid. > > > > > > As you probably already know, let's encrypt does not create client > > > certificates. > > > It seems that using a different CA for client certificates and for the > > > server certificate is unsupported. > > > > > > Am I missing something? > > > > > > > > > -- > Jean-Christophe -- Jean-Christophe
Re: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
@build+dove...@de-korte.org ssl_ca = contains actually the private CA certificate bundled with the private CA CRL. ssl_cert = contains the public server certificate bundled with Let's encrypt CA X3 cross-signed certificate. Maybe the latter should rather contain the root and intermediate certificates. On Mon, Aug 8, 2022 at 11:45 AM Arjen de Korte wrote: > > Citeren jean-christophe manciot : > > > Hi everyone, > > > > I'm trying to setup dovecot to accept only client certificates created > > with a private CA: > > auth_ssl_require_client_cert = yes > > ssl_verify_client_cert = yes > > ssl_ca = > This is wrong, you should enter your private CA here. If > 'ssl_verify_client_cert' is not set to 'yes', this field should > generally be empty / not configured. > > > At the same time, dovecot is setup with an SSL certificate created by > > a public CA (let's encrypt): > > ssl = required > > ssl_cert = > ssl_key = > > > When I try to connect to the server with a client (evolution), I get a > > connection error: > > "Client did not present valid SSL certificate" except that it is valid. > > > > As you probably already know, let's encrypt does not create client > > certificates. > > It seems that using a different CA for client certificates and for the > > server certificate is unsupported. > > > > Am I missing something? > > > -- Jean-Christophe
Re: how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
Citeren jean-christophe manciot : Hi everyone, I'm trying to setup dovecot to accept only client certificates created with a private CA: auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca = This is wrong, you should enter your private CA here. If 'ssl_verify_client_cert' is not set to 'yes', this field should generally be empty / not configured. At the same time, dovecot is setup with an SSL certificate created by a public CA (let's encrypt): ssl = required ssl_cert = As you probably already know, let's encrypt does not create client certificates. It seems that using a different CA for client certificates and for the server certificate is unsupported. Am I missing something?