hi,
when you configure ssl for website virtualmin is not configuring the intermediate CA into the certificate. The issue is that dovecot REQUIRES the intermediate ca to be combined into the ssl_cert parameter.
as said on dovecot documentation:
Chained SSL certificates
Put all the certificates in the ssl_cert file. For example when using a certificate signed by TDC the correct order is:
Dovecot's public certificate
TDC SSL Server CA
TDC Internet Root CA
Globalsign Partners CA
As virtualmin do not copy it this means it will fail for all authorities that requires intermediate CA like letsencrypt :
local_name xxxxxxxxxxxxx {
ssl_cert = </home/zero00-site-par-defaut/ssl.cert
ssl_key = </home/zero00-site-par-defaut/ssl.key
}
-rwx------ 1 zero00-site-par-defaut 000-site-par-defaut 1.9K Apr 24 17:15 /home/zero00-site-par-defaut/ssl.cert
>: grep '\-\-' /home/zero00-site-par-defaut/ssl.cert
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
https://wiki.dovecot.org/SSL/DovecotConfiguration
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/#...
would it be possible that virtualmin use the combined file and not the cert file for dovecot ?
ps ssl_ca is used for client auth and not for the intermediate ca.
best regards, Ghislain.
Comments
Submitted by gadnet@aqueos.com on Tue, 05/05/2020 - 09:50 Comment #1
this can be automated by a hook that do this
if [ -f /etc/dovecot/dovecot.conf ]; thenecho -e "Correction et redemmarage de dovecot ${SAUTDELIGNE}"
sed -i 's/^[[:blank:]]*ssl_cert[[:blank:]]*=\([[:blank:]]*<.*\)\/ssl.cert/ssl_cert=\1\/ssl.combined/' /etc/dovecot/dovecot.conf;
service dovecot reload;
echo -e "${SAUTDELIGNE}${SAUTDELIGNE}"
fi
Submitted by gadnet@aqueos.com on Tue, 05/05/2020 - 10:07 Comment #2