cyrus doesn't provide whole ssl chain
Jan Kowalsky
jankow at datenkollektiv.net
Tue Oct 6 15:45:06 CEST 2015
Hi,
I solved the problem - but ...
Am 06.10.2015 um 14:01 schrieb Jan Kowalsky:
> Hi all,
>
> I've a problem with configuring ssl on cyrus. We have a company root
> certificate with an intermediate certificate. The server certificates
> are issued from the intermediate certificate.
>
> I configured cyrus the following way:
>
> tls_server_cert: /etc/ssl/certs/mail.example.org_public_cert.pem
> tls_server_key: /etc/ssl/private/mail.example.org_private_key.pem
> tls_server_ca_file: /etc/ssl/certs/example.org.ca-chain.pem
>
> The ca_file includes the concatenation from the root cert and the
> intermediate cert.
>
> We used e.g. Thunderbird 31 lts with no problems. But with a newer
> version (38) the server certificate isn't trusted any more even if the
> root cert is installed.
ok, this was an artefact. For any reason maybe there was an information
about the chain cached in thunderbird - even if the certificates are
removed - and readded again.
> The same certificates and the certificate chain with apache2 works.
The solution was: put the whole certificate chain in a chain.pem, the
server cert, the intermediate and the root ca.
tls_server_cert: /etc/ssl/certs/mail.example.org_chain.pem
tls_server_key: /etc/ssl/private/mail.example.org_private_key.pem
The tls_server_ca_file than isn't necessary at all.
The way described in
https://docs.kolab.org/howtos/secure-kolab-server.html#cyrus-imapd differs.
Regards
Jan
More information about the users
mailing list