TLS library problem when connecting to Dovecot

  • I have a Comodo PositiveSSL certificate issued for mail.btcontract.com and I've set up Postfix and Dovecot to work with it in the following way:

    Postfix main.cf:

    smtpd_tls_cert_file  = /etc/ssl/mail/mail_btcontract_com.crt
    smtpd_tls_key_file   = /etc/ssl/mail/mail_btcontract_com.key
    smtpd_tls_CAfile     = /etc/ssl/mail/AddTrustExternalCARoot.crt
    smtp_tls_CAfile      = /etc/ssl/mail/AddTrustExternalCARoot.crt
    

    dovecot.conf:

    ssl_cert =< /etc/ssl/mail/mail_btcontract_com.pem
    ssl_key  =< /etc/ssl/mail/mail_btcontract_com.key
    

    I've generated pem out of crt following this tutorial: http://blog.wong42.com/2011/05/converting-a-ssl-certificate-from-crt-format-to-pem/

    The problem is that when I try to connect to my server from a Thunderbird mail client I see the following errors:

    enter image description here enter image description here

    At the same time in /var/log/mail.log I see this:

    Nov 16 12:15:57 BTContractTest postfix/smtpd[22870]: connect from 51-28-134-95.pool.ukrtel.net[95.134.28.51]
    Nov 16 12:15:58 BTContractTest postfix/smtpd[22870]: Anonymous TLS connection established from 51-28-134-95.pool.ukrtel.net[95.134.28.51]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
    Nov 16 12:15:58 BTContractTest postfix/smtpd[22870]: warning: TLS library problem: 22870:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1258:SSL alert number 48:
    Nov 16 12:15:58 BTContractTest postfix/smtpd[22870]: lost connection after STARTTLS from 51-28-134-95.pool.ukrtel.net[95.134.28.51]  
    

    When I try openssl s_client -connect mail.btcontract.com:143 -starttls imap I first see this:

    CONNECTED(00000003)
    depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.btcontract.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.btcontract.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = mail.btcontract.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    

    What is going on and what should I do fix all this?
    Also, these are all the files I've got from certificate authority: enter image description here

    I don't use intermediate certs anywhere, could that be the source of problem?

    UPDATE

    Following Thomas Pornin's advice I did the following:

    cat mail_btcontract_com.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > full.crt  
    

    and then in Postfix main.cf:

    smtpd_tls_cert_file  = /etc/ssl/mail/full.crt
    smtpd_tls_key_file   = /etc/ssl/mail/mail_btcontract_com.key
    smtpd_tls_CAfile     = /etc/ssl/mail/AddTrustExternalCARoot.crt
    smtp_tls_CAfile      = /etc/ssl/mail/AddTrustExternalCARoot.crt
    

    dovecot.conf:

    ssl_cert =< /etc/ssl/mail/full.crt
    

    And now I'm getting a different error:

    Nov 16 13:28:09 BTContractTest postfix/smtpd[23921]: warning: cannot get RSA private key from file /etc/ssl/mail/mail_btcontract_com.key: disabling TLS support 
    Nov 16 13:28:09 BTContractTest postfix/smtpd[23921]: warning: TLS library problem: 23921:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330:  
    

    I've tried switching places of concatenated certificates and also tried to inclue root ca like this:

    cat AddTrustExternalCARoot.crt mail_btcontract_com.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > full.crt  
    

    But no luck so far.

  • In SSL/TLS, the server is supposed to send not only its certificate, but a complete chain that goes from the root to the server's certificate (the root itself may be omitted, but the intermediate CA should be sent). If the server does not send a complete chain, then it is up to the client to try to complete it, e.g. by downloading the missing certificate, but it is not mandatory for SSL/TLS clients to do any effort in that respect. A client may reject an incomplete chain right away.

    The smtpd_tls_cert_file option should point to a file that contains the chain, i.e. all the certificates in PEM format, concatenated in the chain order (starting with the server's certificate). See the documentation. PEM format is the one where the certificate is encoded in Base64, with an explicit -----BEGIN CERTIFICATE----- header. If you have a certificate in binary format, you can convert it to PEM with:

    openssl x509 -inform DER -in cert.crt -out cert.pem
    

    First open with a text editor (or a simple more command) the certificates you have to see if they are in binary, or already in PEM. Then concatenates the PEM certificates in a single text file, as described by the Postfix documentation.

    Root and two intermediary certs appear to be in text format so I've concatenated them in single file and pointed Postfix and Dovecot to it. Now I see the different error in `mail.log` when I try to connect: `Nov 16 13:28:09 BTContractTest postfix/smtpd[23921]: warning: cannot get RSA private key from file /etc/ssl/mail/mail_btcontract_com.key: disabling TLS support Nov 16 13:28:09 BTContractTest postfix/smtpd[23921]: warning: TLS library problem: 23921:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:330: `

    And `openssl` command response is: `3073783484:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:`

    Chances are that you concatenated the certificates in the wrong order. Postfix will use the _first_ certificate in the file as its own certificate, and will try to match the private key with the public key in that certificate.

    I've tried them in all combinations always having `mail_btcontract_com.crt` first and then two intermediate certs after it. So three certs in total... Perhaps I should include Root CA as first and then the three remaining CA's?

    After concatenating three certs and issuing `openssl s_client -connect mail.btcontract.com:143 -starttls imap -CApath /etc/ssl/mail/` (with explicit path to root CA directory) the output is fine. I don't yet understand why Postfix still has problems.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM