[Dovecot] Solution (with new problem) of: Server CommonName mismatch: localhost.localdomain

M. Fioretti mfioretti at mclink.it
Tue Jun 13 21:54:01 EEST 2006


On Tue, Jun 13, 2006 18:15:03 PM +0200, io (mfioretti at mclink.it)
wrote:

> Hello,
> 
> I have seen via google that this very problem was already discussed
> on this and other lists some months ago, but the archives report no
> solution.

Summary: one tries to talk with Dovecot via ssl and gets:

> fetchmail: Issuer CommonName: localhost.localdomain
> fetchmail: Server CommonName: localhost.localdomain
> fetchmail: Server CommonName mismatch: localhost.localdomain != my.vps.fqdn.name

Solution: this is what happens when one forgets to point to the right
ssl files in dovecot.conf and leaves the default (example-only) values:

ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

However, now I have another problem, and cannot figure out if it's
dovecot related, some general ssl bug or an error (but which one) from
me:

I have a remote server running centos 4.3 and a home desktop running
suse 10.1. I have generated an SSL certificate on the server, copied
it on the desktop and run on the desktop:

>openssl x509 -in mynewcertCert.pem  -fingerprint -subject -issuer -serial -hash -noout
>c_rehash .

getting this warning:
> 
> Doing .
> WARNING: mynewcertPrivateKey.pem does not contain a certificate or CRL: skipping
> mynewcertCert.pem => 2764d17c.0

Now I have noted two things:

1) the fingerprint generated from the openssl command above is
   different when I run it on centos or on suse 10.1. Why?

2) if I run fetchmail here with these options:

I get:

fetchmail: 6.3.2 querying my.remote.server (protocol POP3) at Tue 13 Jun 2006 07:22:34 PM CEST: poll started
fetchmail: Issuer Organization: My organization
fetchmail: Issuer CommonName: my.remote.server
fetchmail: Server CommonName: my.remote.server
fetchmail: my.remote.server key fingerprint: the one obtained running openssl on the server
fetchmail: my.remote.server fingerprints match.
fetchmail: Server certificate verification error: unable to get local issuer certificate
26227:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from m-mail at fm.vm.bytemark.co.uk

What is the "local issuer" problem? What am I missing? Is it a
consequence of problem 1) ? What is happening, and what must I do to
use this certificate? Is it a dovecot only problem?

TIA,
	Marco

-- 
Marco Fioretti                    mfioretti, at the server mclink.it
Fedora Core 3 for low memory      http://www.rule-project.org/

I don't even have an email address. I have reached an age where my
main purpose is not to receive messages.
                                    U. Eco, quoted in the New Yorker



-- 
Marco Fioretti                    mfioretti, at the server mclink.it
Fedora Core 3 for low memory      http://www.rule-project.org/

Be the change you want to see in the world - Gandhi


More information about the dovecot mailing list