Dovecot 與 SSL 證書有關的問題:驗證返回碼:2(無法獲得頒發者證書)
對不起,但我是 ssl 的新手,我做錯了什麼?我嘗試將 dovecot imap 登錄更改為 imaps,但 ssl 證書檢查出現問題。ssl 證書適用於 https apache 伺服器,它與我嘗試用於 dovecot 的相同。我試圖理解 dave thomson https://stackoverflow.com/questions/47108886/openssl-s-client-error-verify-errornum-2unable-to-get-issuer-certificate的回答,但對於新手來說很難。也許你有更簡單的方法。謝謝和br
openssl s_client -connect <my-domain>:993 -servername <my-domain> -CAfile /etc/apache2/ssl/cert_2021.ca-bundle
輸出:
CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify error:num=2:unable to get issuer certificate issuer= C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA issuer= C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=0 CN = <my-domain> issuer= C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 --- Certificate chain 0 s:CN = <my-domain> i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA --- Server certificate -----BEGIN CERTIFICATE----- ...gJaprVUs -----END CERTIFICATE----- subject=CN = <my-domain> issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2192 bytes and written 397 bytes Verification error: unable to get issuer certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 2 (unable to get issuer certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 3B8DCD9A603FF577C1E77F40C5D3BCE2B9BAE026EF430566359B0D82353CE1E5 Session-ID-ctx: Resumption PSK: 69E09...34D1 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 97 86 ca 30 d9 1e 13 95-51 b3 06 87 9d 9f fe ec ...0....Q....... ... 00d0 - 26 69 ba 7b 58 58 2c da-18 90 c9 8b 9f e2 3f be &i.{XX,.......?. Start Time: 1651046361 Timeout : 7200 (sec) Verify return code: 2 (unable to get issuer certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: F834...EE6E Session-ID-ctx: Resumption PSK: A6FBE...23BF PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 97 86 ca 30 d9 1e 13 95-51 b3 06 87 9d 9f fe ec ...0....Q....... ... 00d0 - a9 74 d9 44 c8 40 43 11-48 32 1e e2 2a 8f b9 bb .t.D.@C.H2..*... Start Time: 1651046361 Timeout : 7200 (sec) Verify return code: 2 (unable to get issuer certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Raspbian) ready. * BYE Disconnected for inactivity. closed
對於其他嘗試
openssl s_client -connect <my-domain>:993 -servername <my-domain> -CApath /etc/ssl/certs/ | grep 'returncode'
我得到相同的輸出:
depth=0 CN = <my-domain> verify error:num=20:unable to get local issuer certificate ... .. . Start Time: 1651049986 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0
我的
/etc/dovecot/conf.d/10-ssl.conf
有最小的cfg
ssl = required ssl_cert = </etc/apache2/ssl/cert_2021.crt ssl_key = </etc/apache2/ssl/cert_2021.key ssl_client_ca_file = /etc/apache2/ssl/cert_2021.ca-bundle ssl_dh = </usr/share/dovecot/dh.pem
更新:
在你輸入anx之後,我把所有的東西都放在一個文件中。通過複製 + 粘貼可以很好地平滑地表示 crt、key 和 ca-bundle 資訊。
/etc/dovecot/private
在沒有任何符號連結的情況下保存。在/etc/dovecot/conf.d/10-ssl.conf
我設置下ssl_cert = </etc/dovecot/private/all_certs_in_one.txt #ssl_client_ca_file = /etc/apache2/ssl/es_2021.ca-bundle
我嘗試了命令
openssl s_client -showcerts 6-connect <my-domain>:993 -servername <my-domain>
我得到了那個輸出,肯定比最後一個更多……
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 322 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) ---
更新 - 有一半的解決方案
納米 mkcert.sh
#!/bin/sh # Generates a self-signed certificate. # Edit dovecot-openssl.cnf before running this. umask 077 OPENSSL=${OPENSSL-openssl} SSLDIR=${SSLDIR-/etc/ssl} OPENSSLCONFIG=${OPENSSLCONFIG-dovecot-openssl.cnf} CERTDIR=$SSLDIR/certs KEYDIR=$SSLDIR/private CERTFILE=$CERTDIR/dovecot.pem KEYFILE=$KEYDIR/dovecot.pem if [ ! -d $CERTDIR ]; then echo "$SSLDIR/certs directory doesn't exist" exit 1 fi if [ ! -d $KEYDIR ]; then echo "$SSLDIR/private directory doesn't exist" exit 1 fi if [ -f $CERTFILE ]; then echo "$CERTFILE already exists, won't overwrite" exit 1 fi if [ -f $KEYFILE ]; then echo "$KEYFILE already exists, won't overwrite" exit 1 fi $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 3650 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
nano dovecot-openssl.cnf
[ req ] default_bits = 2048 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] # country (2 letter code) #C=FI # State or Province Name (full name) #ST= # Locality Name (eg. city) #L=Helsinki # Organization (eg. company) O=<MY FIRM NAME> # Organizational Unit Name (eg. section) OU=IMAP server # Common Name (*.example.com is also possible) CN=mail.<YOUR DOMAIN NAME> # E-mail contact support@example.com emailAddress=support@<YOUR DOMAIN NAME> [ cert_type ] nsCertType = server
創建符號連結:
ln -s /etc/ssl/certs/dovecot.pem /etc/dovecot/private/dovecot_pem_sym.pem ln -s /etc/ssl/private/dovecot.pem /etc/dovecot/private/dovecot_pem_sym.key
納米 /etc/dovecot/conf.d/10-ssl.conf
ssl = required ssl_cert = </etc/dovecot/private/dovecot_pem_sym.pem ssl_key = </etc/dovecot/private/dovecot_pem_sym.key #ssl_client_ca_dir = /etc/ssl/certs #ssl_client_ca_file = #ssl_dh = </usr/share/dovecot/dh.pem
重新開始
systemctl restart dovecot
測試
openssl s_client -showcerts -connect <YOUR mail.DOMAIN>:993 -servername <YOUR mail.DOMAIN>
錯誤程式碼是
Verify return code: 18 (self signed certificate)
但那總比沒有好=/我的apache證書確實有效,但是是的。接縫,我們不能讓一切工作=(
順便提一句。不要忘記在 Outlook 中設置例如 @cfg
method
為SSL/TLS
不自動
**您可能
ssl_client_ca_file
錯誤地使用了該設置。**它在 Dovecot 以客戶端角色進行傳出連接時使用(例如,它代理到系統預設 CA 不合適的 MTA/IMAP 目標)。這與 Dovecot 在伺服器角色中處理傳入連接的配置完全分開,例如通過 TLS 提供 IMAP 服務。保持未設置,而是將您的伺服器和中間證書連接到一個組合文件中以用於
ssl_cert=</path/to/file
.請注意順序,在您的情況下,我相信這將是您的伺服器證書,然後是 Sectigo,然後是 Usertrust。由於您目前指向 apache2 使用的文件,請注意不要修改您在其他地方配置的文件(期望它們僅包含伺服器證書或鏈)。