编辑运行openssl s_client -connect mail.mydomain.com:993 -showcerts -CAfile identtrustroot.pem作品。 所以这表明节点tls没有任何根的知识,当然不是?
我有一个dovecot实例为mail.mydomain.com发出一个LetsEncrypt证书。 雷鸟dons't抱怨,networking邮件不抱怨,但都openssl s_client和nodejs tls做。
例:
$ openssl s_client -connect mail.mydomain.com:993 -showcerts depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/CN=mail.domain.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- # # Removed for brevity # ZlmxXZ8eRkcfhlu6Sw== -----END CERTIFICATE----- 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- # # Removed for brevity # -----END CERTIFICATE----- --- Server certificate subject=/CN=mail.domain.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 3176 bytes and written 334 bytes Verification error: unable to get local issuer certificate ---
我的doveotconfiguration只是指向Cerbot生成的fullchain.pem和privkey.pem。
当使用nodejs tls时,我得到一个类似的问题:
[connection] Error: Error: self signed certificate in certificate chain { Error: self signed certificate in certificate chain at TLSSocket.<anonymous> (_tls_wrap.js:1108:38) at emitNone (events.js:105:13) at TLSSocket.emit (events.js:207:7) at TLSSocket._finishInit (_tls_wrap.js:638:8) at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:468:38) code: 'SELF_SIGNED_CERT_IN_CHAIN', source: 'socket' } [connection] Closed
证书CN与主机mail.domain.com相同,但是我只能假定我缺less证书,或者dovecot在某种方式上configuration不正确。 有没有人遇到过,或有任何build议?
在我的机器上工作正常(Debian Jessie)。 我在使用Courier的老版本的Debian上使用老版本的certbot客户端时遇到了一个问题 – fullchain.pem证书不是自动创build的,每次更新时都必须将多个证书放在一起生成。
输出您的同一个sslclient命令,然后从一台工作机器输出doveconf -n :
ivan@darkstar ~ $ openssl s_client -connect mail.example.com:993 -showcerts CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = example.com verify return:1 --- Certificate chain 0 s:/CN=example.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -----BEGIN CERTIFICATE----- MIIFVTCCBD2gAwIBAgISA+jVgnfoK82K032B7XyPIuO2MA0GCSqGSIb3DQEBCwUA ** snip ** idWK19DrVDGbqBItrFBkh9FFbaJDt7P7UUcUPtZW1JS8exsMYoz3peSw7unl+FC6 bVoetZqKD86UdI1nRhfsx5cTtY5IoGMdQg== -----END CERTIFICATE----- 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ ** snip ** KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE----- --- Server certificate subject=/CN=example.com issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 3237 bytes and written 463 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: F533DE0F3B74AA229A9B856A81B36D7B5E537AEDB1A1A70196582BA3734ED361 Session-ID-ctx: Master-Key: 2D16BBC4E5EF3367E448522AB16E8C34C572D0224669FFC9AEECCC6FD2928022E498E761323346D969101B9261825E22 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 02 cb be 44 b3 35 da fc-b9 f1 7f 6f 90 4f 97 9c ...D.5.....oO. 0010 - a8 26 22 8c bb c4 cd e7-f2 94 39 35 27 19 91 b3 .&".......95'... 0020 - 6b 19 b7 cd 89 55 53 78-c6 ba ee 56 36 42 a5 23 k....USx...V6B.# 0030 - b0 43 1e a2 be 65 a8 be-fe 4b a1 68 cb f2 31 b5 .C...e...Kh.1. 0040 - 0f ee 84 e1 d1 b3 e0 9a-c8 5c d1 a3 0f 6b ef c1 .........\...k.. 0050 - 13 c8 2c 1c 7a 43 a5 76-04 a0 d9 5c cf 8e ce a6 ..,.zC.v...\.... 0060 - 26 87 7e d0 0d fd 84 eb-0b 7c 89 7c bf b7 33 94 &.~......|.|..3. 0070 - d4 1e be d1 07 f2 2c 59-9b b0 b9 4b 73 66 27 63 ......,Y...Ksf'c 0080 - 21 a0 e9 88 bf d8 5e 47-e0 3d c1 df fc 60 63 c0 !.....^G.=...`c. 0090 - 1c 67 5e 50 b5 1b 5e 4b-ba 1f 96 4d cc f8 43 a3 .g^P..^K...M..C. Start Time: 1506208904 Timeout : 300 (sec) Verify return code: 0 (ok) --- * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
而doveconf -n输出:
# 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 4.9.36-x86_64-linode85 x86_64 Debian 8.8 ext4 auth_mechanisms = plain login mail_location = maildir:/var/vmail/%d/%n/Maildir managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave namespace inbox { inbox = yes location = mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Junk { auto = subscribe special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = subscribe special_use = \Trash } prefix = } passdb { args = /etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { sieve = ~/.dovecot.sieve sieve_after = /etc/dovecot/sieve-after sieve_dir = ~/sieve } postmaster_address = postmaster@%d protocols = " imap lmtp sieve pop3" service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } ssl_cert = </etc/letsencrypt/live/example.com/fullchain.pem ssl_key = </etc/letsencrypt/live/example.com/privkey.pem userdb { args = uid=vmail gid=vmail home=/var/vmail/%d/%n driver = static } protocol lmtp { mail_plugins = " sieve" }