On 28.12.2023 16:57, Carlos E. R. wrote: ...
I had seen that thread back i July, but back then I did not read it complete, it worked before doing that.
Problem is, TB does not ask to create an exception.
Well, the intended way to use X.509 certificates is to sign them by known CA, not to rely on force accepting them by any particular program. Certificates not signed by a trusted authority are by definition not to be trusted.
Currently, I have TB working by NOT using connection security.
Post <https://dovecot.org/list/dovecot/2022-September/125357.html> says to use extension "Subject Alt Names".
Next post (<https://dovecot.org/list/dovecot/2022-September/125383.html>) says to:
Practically this means you need to make sure that if you use self-signed or internal CA certificates you include subjectAlternativeName otherwise they won't work with some client software. If you use public CA-signed certs you typically don't need to do this yourself because the CA adds SAN if missing from the CSR (their only other option is to reject issuance).
I don't know what that means. Ie, I don't know what to add to dovecot-openssl.cnf, if that is what I have to do (and assuming if it is /etc/ssl/private/dovecot.* they are talking about.
"They" are talking about your certificate.
If it is "/etc/dovecot/dh.pem", I have no idea at all.
Also, I have no idea how to extend the validity of the certificate to be "forever", not just two years. [...] Oh, yes, I do, but I forgot. I had edited mkcert.sh:
#$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG \ # -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 #CER 20230602 $OPENSSL req -new -x509 -nodes -days 3650 -config $OPENSSLCONFIG \ -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2
Seems I missed the second "365".
10 years is not "forever".
Ah, another post clarifies:
CN = example.com SAN.1 = example.com SAN.2 = www.example.com
or
CN = www.example.com SAN.1 = www.example.com SAN.2 = example.com
...
Ok, trying to create new certificates:
Telcontar:/etc/dovecot # time bash ./mkcert.sh Generating a RSA private key ...............+++++ ........+++++ writing new private key to '/etc/ssl/private/dovecot.pem' ----- problems making Certificate Request 140165362526016:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:crypto/asn1/a_object.c:73: 140165362526016:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:crypto/x509/x509name.c:252:name=SAN
real 0m0.012s user 0m0.012s sys 0m0.000s Telcontar:/etc/dovecot #
It doesn't like that "SAN" thing. Blocked again.
I have no idea what you did, where you added these lines or what this script does. bor@bor-Latitude-E5450:/tmp/san$ cat san.cnf [req_ext] subjectAltName = @alt_names [alt_names] IP.1 = 10.10.10.13 IP.2 = 10.10.10.14 IP.3 = 10.10.10.17 DNS.1 = centos8-2.example.com DNS.2 = centos8-3.example.com bor@bor-Latitude-E5450:/tmp/san$ openssl genrsa -out domain.key 2048 bor@bor-Latitude-E5450:/tmp/san$ openssl req -key domain.key -new -out domain.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: bor@bor-Latitude-E5450:/tmp/san$ bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -signkey domain.key -in domain.csr -req -days 365 -out domain.crt -extfile san.cnf -extensions req_ext Certificate request self-signature ok subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd bor@bor-Latitude-E5450:/tmp/san$ openssl x509 -noout -text -in domain.crt | grep -A3 'X509v3 extensions' X509v3 extensions: X509v3 Subject Alternative Name: IP Address:10.10.10.13, IP Address:10.10.10.14, IP Address:10.10.10.17, DNS:centos8-2.example.com, DNS:centos8-3.example.com X509v3 Subject Key Identifier: bor@bor-Latitude-E5450:/tmp/san$ And SAN is just one /possible/ reason why certificate is not accepted. Yes, Thunderbird could be more helpful in explaining what it does not like.