EDIT running openssl s_client -connect mail.mydomain.com:993 -showcerts -CAfile identtrustroot.pem
works. So that suggests that node tls doesn't have any knowledge of that root, surely that can't be?
I've got a dovecot instance issuing a LetsEncrypt cert for mail.mydomain.com. Thunderbird doens't complain, webmail doesn't complain, but both openssl s_client and nodejs tls do.
Example:
$ openssl s_client -connect mail.mydomain.com:993 -showcerts
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=mail.domain.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
#
# Removed for brevity
#
ZlmxXZ8eRkcfhlu6Sw==
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
#
# Removed for brevity
#
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=mail.domain.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3176 bytes and written 334 bytes
Verification error: unable to get local issuer certificate
---
My doveot config simply points to the Cerbot generated fullchain.pem and privkey.pem.
When using nodejs tls, I get a similar problem:
[connection] Error: Error: self signed certificate in certificate chain
{ Error: self signed certificate in certificate chain
at TLSSocket.<anonymous> (_tls_wrap.js:1108:38)
at emitNone (events.js:105:13)
at TLSSocket.emit (events.js:207:7)
at TLSSocket._finishInit (_tls_wrap.js:638:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:468:38) code: 'SELF_SIGNED_CERT_IN_CHAIN', source: 'socket' }
[connection] Closed
The certs CN is the same as the host, mail.domain.com, but I can only assume I'm eiter missing a cert or dovecot is in some way incorrectly configured. Has anyone come across this before or got any suggestions?
Best Answer
Works fine on my machine (Debian Jessie). I've had an issue with an older version of the
certbot
client, on an older version of Debian, using Courier - the fullchain.pem certificate wasn't created automatically, I had tocat
several certs together to generate it each time I updated.Output of your same sslclient command followed by output of
doveconf -n
from one working machine:And the
doveconf -n
output: