Opened 3 years ago

Closed 3 years ago

#11616 closed Bug/Something is broken (fixed)

dovecot proxy on gil/paulo won't access lets encrypt certificate

Reported by: Jamie McClelland Owned by: JaimeV
Priority: Urgent Component: Tech
Keywords: letsencrypt dovecot Cc:
Sensitive: no


When I replaced june's certificate with a lets encrypt certificate (that gnutls-cli accepted as valid), IMAP connections proxied via gil were refused.

Apr  4 12:45:13 gil dovecot: imap-login: Error: proxy: Received invalid SSL certificate from unable to get local issuer certificate: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3: user=<jamie-ussf>, method=PLAIN, rip=, lip=, TLS, session=<4EXic6svgQDRM6MR>

We should try to sort this out since we will want to be use letsencrypt on moshes.

Change History (5)

comment:1 Changed 3 years ago by JaimeV

Owner: set to JaimeV
Status: newassigned

Looking through /etc/dovecot/conf.d/99-mfpl-proxy.conf I noticed the reference to #8037 and our custom /etc/ssl/mfpl.certs file. Concatenating /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt to /etc/ssl/mfpl.certs and restarting dovecot on both gil and paulo solves the issue. I didn't see a reference to this file in our puppet repo. Should it be included and sourced in m_mailproxy.pp ?

Last edited 3 years ago by JaimeV (previous) (diff)

comment:2 Changed 3 years ago by Jamie McClelland

This sounds like some kind of bug that should be fixed properly. Why isn't that cert already compiled into /etc/ssl/certs? It should be done by the ca-certificates package.

comment:3 Changed 3 years ago by JaimeV

It is. But from what I can gather from #8037 we've specifically created our own short list of certs in /etc/ssl/mfpl.certs for gil and paulo.

comment:4 Changed 3 years ago by Jamie McClelland

Ahhh.... Nice work Jaime. You are absolutely correct. I had forgotten about that ticket. And yet, let's put this in puppet.

comment:5 Changed 3 years ago by Jamie McClelland

Resolution: fixed
Status: assignedclosed

I've finally fixed this in puppet (via the m_dovecot.pp file).

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.