我正在使用 dovecot (1) 并尝试运行我的 StartSSL 证书。
ssl_key_file 指向我的私钥
我尝试将 ssl_cert_file 指向我的公钥,使用和不使用来自的 class1 证书http://www.startssl.com/certs/sub.class1.server.ca.pem 作为 ssl_ca_file 以及将它们与 cat publickey sub.class1.server.ca.pem > chained 结合
我的邮件客户端一直告诉我证书没有颁发者,但在我的公共证书上执行 openssl x509 却告诉我它是 C=IL、O=StartCom Ltd.、OU=Secure Digital Certification Signing、CN=StartCom Class 1 Primary Intermediate Server CA
我对 CSR 的选项是:openssl req -new -newkey rsa:4096 -nodes
Dovecot 的日志没有提到任何问题。
编辑:dovecot 似乎没有问题。我在使用 postfix 时也遇到了同样的问题。openssl verify 也给出了同样的错误。
答案1
“openssl verify” 返回什么错误消息?
可能的情况是应用程序不信任证书颁发者并且需要受信任证书的列表。
尝试下载此文件http://www.startssl.com/certs/ca-bundle.pem并运行“openssl verify -CAfile ca-bundle.pem mycert.pem”,其中 mycert.pem 是您的证书。
例如:%openssl verify -CAfile ca-bundle.pem sub.class1.server.ca.pem sub.class1.server.ca.pem:OK
答案2
我使用以下配置没有任何问题
/etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/dovecot/mail.example.net.pem
ssl_key = </etc/pki/dovecot/mail.example.net.key
/etc/pki/dovecot/mail.example.net.pem 由 3 个部分组成:
server certificate
startssl Class 1 Intermediate Server CA
StartCom Root CA (PEM encoded)
注意:顺序很重要
# openssl s_client -connect mail.example.net:995
CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = G4V86y34KxXe0qbQ, C = US, CN = mail.example.net, emailAddress = [email protected]
verify return:1
---
Certificate chain
0 s:/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/[email protected]
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHWzCCBkOgAwIBAgIDDlbeMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwMjA0MTk1MTM5
WhcNMTUwMjA1MTU1NjMxWjBrMRkwFwYDVQQNExBHNFY4NnkzNEt4WGUwcWJRMQsw
CQYDVQQGEwJVQTEaMBgGA1UEAxMRbWFpbC5wc2QyaHRtbC5jb20xJTAjBgkqhkiG
9w0BCQEWFndlYm1hc3RlckBwc2QyaHRtbC5jb20wggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQDVkP78cio2lOLYgR4b0AL23UXRfqsfxq5SV3UQc/MCs6dH
+KjoXsGfmb625UHIlwDyXHNcWRk77W6rjoMNuT16IQaYcgeO3bFGtcZkMBGcQ3ur
XVn4lv0N1VcCInxeLS/gp7Af8uKHm8mQzLYgiNUIuoExlQUa9YGOKZO8mT+HV9uT
GGrJly6qhWEG7fmua3+s9muKIk1rVPFNrmpZNZ3r0LFleQyDQHdzF9KIlQSHFlGt
pXVSfmEDVzEhMpE+8fwC2tfl/yfKj4O7UTkx+9Tve3S/6yVdRDIfke2DGTbukj9P
FwCvSFEbfstLOjc6l6R8Akcfc7zuzZDnyBOJt4Z0rXyVhrV02Mcy5/eOvCgzoq3U
e/FSDj0NYwv4bzBFxdVzDtmhYg/PO1vzsr4wn+avUnJJCQ0OfbZobjx8AjrxnwID
RRcKIrXvDnYUFWh9hyoEFbzzgFuj4CMO7YY8FPzbDDhCjcCQp/4xJ7f0zdxRyjuJ
AhJqaKs/Mmi5vZ6D/+Cu1vng/h9W9787A/rT4TynCvrVvfTWNAfnAlk2GuIJbHeU
uMnYqdNGvVdVHfTWescXqWx/ko33m33ceoCcxDMElHoeLPSk7WJvydm9HWXvGmBB
QJRwC3yXaFJLx7+cxd/hd8dMXBJ5My2Uhw+GTw4Mrr4seRO7oNVhNqhJBbqjmPvL
AQABo4IC5DCCAuAwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwEwYDVR0lBAwwCgYI
ggE7BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3Rh
cnRzc2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29t
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRl
IHdhcyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24g
KwYBBQUHAwEwHQYDVR0OBBYEFAYlHZwthNBwmurY7KHmBkNdS19JMB8GA1UdIwQY
MBaAFOtCNNCYsKuf9BtrCPfMZC7vDixFMCoGA1UdEQQjMCGCEW1haWwucHNkMmh0
bWwuY29tggxwc2QyaHRtbC5jb20wggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEw
cmVxdWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNl
IG9ubHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2Yg
dGhlIHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaG
JGh0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUH
AQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1
Yi9jbGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0
c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBww
GoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQBa
16IYi1LGaOmogKbTIVIdwrP1kWN8ZfQdTBKgPgJeE8u+uvR4lExzIffN9LairKC2
waqZa7RfLakZkLKoJ6/kcGvXoXfNUUSQ3M3AVcxchYQ/pmh5KzxTkIE9xX5jDjd8
B+B2uV/X8Gc2/q2ortr4DVUBBV8pCmS18bSGGZL4IvvDw0iLop27TfcrhbZEwEL0
5y+T/pvvFbGmVDEXiw9EXQJ1vjosnQEfxsPEU3NGD4I4BOXedvzzKmDV3Dny+vEN
40thwakbj81rZc4ppYYX6mra207vjaattvFE9FCioW4YVgxV+mGGvirt2qMUsE1l
XN0tJonIy/lLUDZupgTx
-----END CERTIFICATE-----
subject=/description=G4V86y34KxXe0qbQ/C=US/CN=mail.example.net/[email protected]
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6429 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 251FC9E94633EC3A79E17802493B117BD4F04ABD0C3499DB414A764CA6EAA9AF
Session-ID-ctx:
Master-Key: E86A31072A0CB5288CA6C01AE174D8B72AC6F5B377E4245B06604354BB968EA0AFF199F823F5EFD919B7E2F0F6F3D7C0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 66 5c 5d 0d 71 f9 0a c3-fc 3f 26 2f 04 61 02 7e f\].q....?&/.a.~
0010 - e1 ec b8 a2 9e cb 4e e1-d9 20 41 0f 30 3e f8 2a ......N.. A.0>.*
0020 - a9 9f 36 3e 92 1a 9d 06-8f fc e9 69 ad 98 a3 21 ..6>.......i...!
0030 - 80 bf 54 e0 36 54 f8 ab-cf 93 97 39 66 99 db d1 ..T.6T.....9f...
0040 - b9 c1 10 64 bc e5 e0 ef-0a d2 cf be 08 f9 4d a3 ...d..........M.
0050 - 82 0c 2f 42 c1 c2 26 b8-7d 19 01 30 ce f0 76 de ../B..&.}..0..v.
0060 - 1b a1 53 9c b3 d4 61 21-95 94 85 4a 9f c7 3f 5a ..S...a!...J..?Z
0070 - 7e c1 2b cf fd 98 08 bf-ac 6c ca e4 95 ba d0 60 ~.+......l.....`
0080 - 4c cf 95 ec ed d9 01 41-00 0c 2c de 3c da 9d 2e L......A..,.<...
0090 - 71 4b b9 5b 31 d1 f6 47-bd 92 71 3d 5f 9a 11 ca qK.[1..G..q=_...
Start Time: 1393762729
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
+OK Dovecot ready.
quit
+OK Logging out
closed