Dovecot 和 StartSSL 与发行者的问题

Question 1

“openssl verify” 返回什么错误消息？

可能的情况是应用程序不信任证书颁发者并且需要受信任证书的列表。

尝试下载此文件http://www.startssl.com/certs/ca-bundle.pem并运行“openssl verify -CAfile ca-bundle.pem mycert.pem”，其中 mycert.pem 是您的证书。

例如：％openssl verify -CAfile ca-bundle.pem sub.class1.server.ca.pem sub.class1.server.ca.pem：OK

Answer

“openssl verify” 返回什么错误消息？

可能的情况是应用程序不信任证书颁发者并且需要受信任证书的列表。

尝试下载此文件http://www.startssl.com/certs/ca-bundle.pem并运行“openssl verify -CAfile ca-bundle.pem mycert.pem”，其中 mycert.pem 是您的证书。

例如：％openssl verify -CAfile ca-bundle.pem sub.class1.server.ca.pem sub.class1.server.ca.pem：OK

Question 2

我使用以下配置没有任何问题

/etc/dovecot/conf.d/10-ssl.conf

ssl = yes
ssl_cert = </etc/pki/dovecot/mail.example.net.pem
ssl_key = </etc/pki/dovecot/mail.example.net.key

/etc/pki/dovecot/mail.example.net.pem 由 3 个部分组成：

server certificate
startssl Class 1 Intermediate Server CA
StartCom Root CA (PEM encoded)

注意：顺序很重要

# openssl s_client -connect mail.example.net:995
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = G4V86y34KxXe0qbQ, C = US, CN = mail.example.net, emailAddress = [email protected]
verify return:1
---
Certificate chain
 0 s:/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/[email protected]
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHWzCCBkOgAwIBAgIDDlbeMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwMjA0MTk1MTM5
WhcNMTUwMjA1MTU1NjMxWjBrMRkwFwYDVQQNExBHNFY4NnkzNEt4WGUwcWJRMQsw
CQYDVQQGEwJVQTEaMBgGA1UEAxMRbWFpbC5wc2QyaHRtbC5jb20xJTAjBgkqhkiG
9w0BCQEWFndlYm1hc3RlckBwc2QyaHRtbC5jb20wggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQDVkP78cio2lOLYgR4b0AL23UXRfqsfxq5SV3UQc/MCs6dH
+KjoXsGfmb625UHIlwDyXHNcWRk77W6rjoMNuT16IQaYcgeO3bFGtcZkMBGcQ3ur
XVn4lv0N1VcCInxeLS/gp7Af8uKHm8mQzLYgiNUIuoExlQUa9YGOKZO8mT+HV9uT
GGrJly6qhWEG7fmua3+s9muKIk1rVPFNrmpZNZ3r0LFleQyDQHdzF9KIlQSHFlGt
pXVSfmEDVzEhMpE+8fwC2tfl/yfKj4O7UTkx+9Tve3S/6yVdRDIfke2DGTbukj9P
FwCvSFEbfstLOjc6l6R8Akcfc7zuzZDnyBOJt4Z0rXyVhrV02Mcy5/eOvCgzoq3U
e/FSDj0NYwv4bzBFxdVzDtmhYg/PO1vzsr4wn+avUnJJCQ0OfbZobjx8AjrxnwID
RRcKIrXvDnYUFWh9hyoEFbzzgFuj4CMO7YY8FPzbDDhCjcCQp/4xJ7f0zdxRyjuJ
AhJqaKs/Mmi5vZ6D/+Cu1vng/h9W9787A/rT4TynCvrVvfTWNAfnAlk2GuIJbHeU
uMnYqdNGvVdVHfTWescXqWx/ko33m33ceoCcxDMElHoeLPSk7WJvydm9HWXvGmBB
QJRwC3yXaFJLx7+cxd/hd8dMXBJ5My2Uhw+GTw4Mrr4seRO7oNVhNqhJBbqjmPvL
AQABo4IC5DCCAuAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYI
ggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29t
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRl
IHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24g
KwYBBQUHAwEwHQYDVR0OBBYEFAYlHZwthNBwmurY7KHmBkNdS19JMB8GA1UdIwQY
MBaAFOtCNNCYsKuf9BtrCPfMZC7vDixFMCoGA1UdEQQjMCGCEW1haWwucHNkMmh0
bWwuY29tggxwc2QyaHRtbC5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEw
cmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNl
IG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2Yg
dGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaG
JGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUH
AQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1
Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0
c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBww
GoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBa
16IYi1LGaOmogKbTIVIdwrP1kWN8ZfQdTBKgPgJeE8u+uvR4lExzIffN9LairKC2
waqZa7RfLakZkLKoJ6/kcGvXoXfNUUSQ3M3AVcxchYQ/pmh5KzxTkIE9xX5jDjd8
B+B2uV/X8Gc2/q2ortr4DVUBBV8pCmS18bSGGZL4IvvDw0iLop27TfcrhbZEwEL0
5y+T/pvvFbGmVDEXiw9EXQJ1vjosnQEfxsPEU3NGD4I4BOXedvzzKmDV3Dny+vEN
40thwakbj81rZc4ppYYX6mra207vjaattvFE9FCioW4YVgxV+mGGvirt2qMUsE1l
XN0tJonIy/lLUDZupgTx
-----END CERTIFICATE-----
subject=/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/[email protected]
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6429 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 251FC9E94633EC3A79E17802493B117BD4F04ABD0C3499DB414A764CA6EAA9AF
    Session-ID-ctx:
    Master-Key: E86A31072A0CB5288CA6C01AE174D8B72AC6F5B377E4245B06604354BB968EA0AFF199F823F5EFD919B7E2F0F6F3D7C0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 66 5c 5d 0d 71 f9 0a c3-fc 3f 26 2f 04 61 02 7e   f\].q....?&/.a.~
    0010 - e1 ec b8 a2 9e cb 4e e1-d9 20 41 0f 30 3e f8 2a   ......N.. A.0>.*
    0020 - a9 9f 36 3e 92 1a 9d 06-8f fc e9 69 ad 98 a3 21   ..6>.......i...!
    0030 - 80 bf 54 e0 36 54 f8 ab-cf 93 97 39 66 99 db d1   ..T.6T.....9f...
    0040 - b9 c1 10 64 bc e5 e0 ef-0a d2 cf be 08 f9 4d a3   ...d..........M.
    0050 - 82 0c 2f 42 c1 c2 26 b8-7d 19 01 30 ce f0 76 de   ../B..&.}..0..v.
    0060 - 1b a1 53 9c b3 d4 61 21-95 94 85 4a 9f c7 3f 5a   ..S...a!...J..?Z
    0070 - 7e c1 2b cf fd 98 08 bf-ac 6c ca e4 95 ba d0 60   ~.+......l.....`
    0080 - 4c cf 95 ec ed d9 01 41-00 0c 2c de 3c da 9d 2e   L......A..,.<...
    0090 - 71 4b b9 5b 31 d1 f6 47-bd 92 71 3d 5f 9a 11 ca   qK.[1..G..q=_...

    Start Time: 1393762729
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Dovecot ready.
quit
+OK Logging out
closed

Answer

我使用以下配置没有任何问题

/etc/dovecot/conf.d/10-ssl.conf

ssl = yes
ssl_cert = </etc/pki/dovecot/mail.example.net.pem
ssl_key = </etc/pki/dovecot/mail.example.net.key

/etc/pki/dovecot/mail.example.net.pem 由 3 个部分组成：

server certificate
startssl Class 1 Intermediate Server CA
StartCom Root CA (PEM encoded)

注意：顺序很重要

# openssl s_client -connect mail.example.net:995
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = G4V86y34KxXe0qbQ, C = US, CN = mail.example.net, emailAddress = [email protected]
verify return:1
---
Certificate chain
 0 s:/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/[email protected]
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHWzCCBkOgAwIBAgIDDlbeMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwMjA0MTk1MTM5
WhcNMTUwMjA1MTU1NjMxWjBrMRkwFwYDVQQNExBHNFY4NnkzNEt4WGUwcWJRMQsw
CQYDVQQGEwJVQTEaMBgGA1UEAxMRbWFpbC5wc2QyaHRtbC5jb20xJTAjBgkqhkiG
9w0BCQEWFndlYm1hc3RlckBwc2QyaHRtbC5jb20wggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQDVkP78cio2lOLYgR4b0AL23UXRfqsfxq5SV3UQc/MCs6dH
+KjoXsGfmb625UHIlwDyXHNcWRk77W6rjoMNuT16IQaYcgeO3bFGtcZkMBGcQ3ur
XVn4lv0N1VcCInxeLS/gp7Af8uKHm8mQzLYgiNUIuoExlQUa9YGOKZO8mT+HV9uT
GGrJly6qhWEG7fmua3+s9muKIk1rVPFNrmpZNZ3r0LFleQyDQHdzF9KIlQSHFlGt
pXVSfmEDVzEhMpE+8fwC2tfl/yfKj4O7UTkx+9Tve3S/6yVdRDIfke2DGTbukj9P
FwCvSFEbfstLOjc6l6R8Akcfc7zuzZDnyBOJt4Z0rXyVhrV02Mcy5/eOvCgzoq3U
e/FSDj0NYwv4bzBFxdVzDtmhYg/PO1vzsr4wn+avUnJJCQ0OfbZobjx8AjrxnwID
RRcKIrXvDnYUFWh9hyoEFbzzgFuj4CMO7YY8FPzbDDhCjcCQp/4xJ7f0zdxRyjuJ
AhJqaKs/Mmi5vZ6D/+Cu1vng/h9W9787A/rT4TynCvrVvfTWNAfnAlk2GuIJbHeU
uMnYqdNGvVdVHfTWescXqWx/ko33m33ceoCcxDMElHoeLPSk7WJvydm9HWXvGmBB
QJRwC3yXaFJLx7+cxd/hd8dMXBJ5My2Uhw+GTw4Mrr4seRO7oNVhNqhJBbqjmPvL
AQABo4IC5DCCAuAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYI
ggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29t
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRl
IHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24g
KwYBBQUHAwEwHQYDVR0OBBYEFAYlHZwthNBwmurY7KHmBkNdS19JMB8GA1UdIwQY
MBaAFOtCNNCYsKuf9BtrCPfMZC7vDixFMCoGA1UdEQQjMCGCEW1haWwucHNkMmh0
bWwuY29tggxwc2QyaHRtbC5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEw
cmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNl
IG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2Yg
dGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaG
JGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUH
AQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1
Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0
c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBww
GoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBa
16IYi1LGaOmogKbTIVIdwrP1kWN8ZfQdTBKgPgJeE8u+uvR4lExzIffN9LairKC2
waqZa7RfLakZkLKoJ6/kcGvXoXfNUUSQ3M3AVcxchYQ/pmh5KzxTkIE9xX5jDjd8
B+B2uV/X8Gc2/q2ortr4DVUBBV8pCmS18bSGGZL4IvvDw0iLop27TfcrhbZEwEL0
5y+T/pvvFbGmVDEXiw9EXQJ1vjosnQEfxsPEU3NGD4I4BOXedvzzKmDV3Dny+vEN
40thwakbj81rZc4ppYYX6mra207vjaattvFE9FCioW4YVgxV+mGGvirt2qMUsE1l
XN0tJonIy/lLUDZupgTx
-----END CERTIFICATE-----
subject=/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/[email protected]
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6429 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 251FC9E94633EC3A79E17802493B117BD4F04ABD0C3499DB414A764CA6EAA9AF
    Session-ID-ctx:
    Master-Key: E86A31072A0CB5288CA6C01AE174D8B72AC6F5B377E4245B06604354BB968EA0AFF199F823F5EFD919B7E2F0F6F3D7C0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 66 5c 5d 0d 71 f9 0a c3-fc 3f 26 2f 04 61 02 7e   f\].q....?&/.a.~
    0010 - e1 ec b8 a2 9e cb 4e e1-d9 20 41 0f 30 3e f8 2a   ......N.. A.0>.*
    0020 - a9 9f 36 3e 92 1a 9d 06-8f fc e9 69 ad 98 a3 21   ..6>.......i...!
    0030 - 80 bf 54 e0 36 54 f8 ab-cf 93 97 39 66 99 db d1   ..T.6T.....9f...
    0040 - b9 c1 10 64 bc e5 e0 ef-0a d2 cf be 08 f9 4d a3   ...d..........M.
    0050 - 82 0c 2f 42 c1 c2 26 b8-7d 19 01 30 ce f0 76 de   ../B..&.}..0..v.
    0060 - 1b a1 53 9c b3 d4 61 21-95 94 85 4a 9f c7 3f 5a   ..S...a!...J..?Z
    0070 - 7e c1 2b cf fd 98 08 bf-ac 6c ca e4 95 ba d0 60   ~.+......l.....`
    0080 - 4c cf 95 ec ed d9 01 41-00 0c 2c de 3c da 9d 2e   L......A..,.<...
    0090 - 71 4b b9 5b 31 d1 f6 47-bd 92 71 3d 5f 9a 11 ca   qK.[1..G..q=_...

    Start Time: 1393762729
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Dovecot ready.
quit
+OK Logging out
closed

Dovecot 和 StartSSL 与发行者的问题

答案1

答案2

相关内容