Dovecot: "unable to get local issuer certificate"


#1

I’m also getting the same error ‘verify error:num=20:unable to get local issuer certificate’ when testing the Letsencrypt certificate with openssl. I’s also using the fullchain.pem in Dovecot port 993. There seem to be no solution being offered here any more. Has anybody found the solution of this issue. Strangely enough Thunderbird doesn’t complain about the certificate but MS Outlook does. It seems that the Intermediate certificate is not being seen even if it’s in the fullchain.pem. Maybe there is an extra configuration line in the Dovecot configuration that points to the chain.pem only in order to send the Intermediate certs to the IMAPS clients from Dovecot?
Michel


Cannot verify domain with openssl
#2

@michelbisson, what’s your domain name? And can you post the relevant part of your Dovecot configuration?


#3

I don’t have a solution, but I do offer a potential “if-all-else-fails” option:
niginx could proxy all the mail related ports.
(installing a cert in nginx is relatively easy)
You may have to get creative to not use the same ports on the same IP.


#4

Can it still proxy TLS for services that speak IMAP instead of HTTP?


#5

Does this answer your question?
(shortened for brevity)

mail
{
    proxy_ctimeout              120000ms;
    proxy_pass_error_message    on;
    zm_auth_http;
    proxy_ssl on;
    imap_greeting            "";
    pop3_greeting            "";
    pop3_capabilities         "EXPIRE 31 USER" "TOP" "UIDL" "USER" "XOIP";
    imap_capabilities         "ACL" "BINARY" "CATENATE" ...
    imap_id         "NAME" "Zimbra" "VERSION" ...
    default_realm           "";
    sasl_host_from_ip       off;
    sasl_app_name           "nginx";
    mail_login_ip_max               0;
    mail_login_ip_ttl               3600000ms;
    mail_login_ip_rejectmsg         "Login rejected from this IP";
    mail_login_user_max             0;
    mail_login_user_ttl             3600000ms;
    mail_login_user_rejectmsg       "Login rejected for this user";
    proxy_issue_pop3_xoip   on;
    proxy_issue_imap_id     on;
    imap_auth          plain;
    #imap_auth         gssapi;
    pop3_auth          plain;
    #pop3_auth         gssapi;
    imap_literalauth        on;
    zm_auth_wait               10000ms;
    ssl_prefer_server_ciphers   on;
    ssl_certificate     /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key /opt/zimbra/conf/nginx.key;
    ssl_protocols            TLSv1.2;
    ssl_ciphers             ...
    ssl_ecdh_curve          prime256v1;
     include /opt/zimbra/conf/nginx/includes/nginx.conf.mail.imap;
     include /opt/zimbra/conf/nginx/includes/nginx.conf.mail.imaps;
     include /opt/zimbra/conf/nginx/includes/nginx.conf.mail.pop3;
     include /opt/zimbra/conf/nginx/includes/nginx.conf.mail.pop3s;
}
server
{
    #listen                  [::]:993 ipv6only=off;
    listen                993;
    #listen                [::]:993;
    ssl_dhparam         /opt/zimbra/conf/dhparam.pem;
    protocol            imap;
    proxy               on;
    timeout             60;
    proxy_timeout       2100;
    ssl                 on;
    ssl_certificate     /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key /opt/zimbra/conf/nginx.key;
    sasl_service_name   "imap";
}

:smile: :wink:


#6

Huh, nginx is pretty flexible then!


#7

Yes! It can also proxy DNS, RDP, pretty much almost anything.
root@work:/# netstat -pant |grep -i nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 53392/nginx.conf
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 53392/nginx.conf
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 53392/nginx.conf
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 53392/nginx.conf
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 53392/nginx.conf

[edit] To be clear, it can’t “man-in-the-middle” all services.
It can for those things that use TLS; for the rest it can proxy them as streams.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.