STARTTLS issue with sieve

Heiko Schlittermann hs at schlittermann.de
Sun Jul 9 00:10:06 EEST 2017 

Andreas Oster <aoster at novanetwork.de> (Fr 07 Jul 2017 08:15:05 CEST):
> Hi all,
> 
> I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks ago
> I had to replace our dovecot certificate due to expiration. In the past I
> did use a self-signed certificate, but because we now have a little openssl
> based CA I have decided to create signed certificate for imaps. Dovecot is
> happily accepting the new certificate which has integrated the whole
> cert-chain. Unfortunately Pigeonhole does not seem to like the certificate:

As it seem, Pigeonhole sends you the full cert chain:

> *** Starting TLS handshake
> - Certificate type: X.509
> - Got a certificate list of 3 certificates.
> - Certificate[0] info:
>  - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
…
> - Certificate[2] info:
>  - subject `C=DE,ST=Baden-Wuerttemberg,L=Ettlingen,O=NOVA Elektroanlagen
> GmbH,OU=NOVA Root CA,CN=NOVA Root CA', issuer

The last one being the CA used.

> SHA-1 fingerprint `95326e3ff12683cc40a85874d562d0a6f15dcb37'
> - Status: The certificate is NOT trusted. The certificate issuer is unknown.
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> *** Handshake has failed

For me it reads as if your client (gnutls-cli) does not trust
the chain your server sent. (The server doesn't care about the chain).

> I have checked the certificate with:
> 
> openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem
> /etc/ssl/certs/mail.novanetwork.local.cert.pem
> /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK

How do you know that gnutls-cli uses the same CA file? Try passing the
CA file to gnutls-cli?

The --x509cafile seems to be hardcoded in /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (Debian9, amd64)

$ strings /usr/lib/x86_64-linux-gnu/libgnutls.so.30 | grep '/etc/ssl'
/etc/ssl/certs/ca-certificates.crt

So, on my system gnutls-cli seems to use the same CA store
(/etc/ssl/certs) as openssl.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://dovecot.org/pipermail/dovecot/attachments/20170708/6c8ea0ed/attachment.sig>

More information about the dovecot mailing list