# Dovecot SSL issue



## xy16644 (Apr 6, 2014)

I ran a vulnerability test on my server this week and the one issue I noticed was the following error with IMAPS on port 993 (I use the latest version of Dovecot):

*SSL Certificate - Signature Verification Failed Vulnerability*

When I run `openssl s_client -connect mail.domain.com:993` on the server I get the following errors:


```
Verify return code: 21 (unable to verify the first certificate)
```

After much research online it looks like I need to use an intermediate certificate with my own certificate in Dovecot. Dovecot doesn't seem to have an option in the /usr/local/etc/dovecot/conf.d/10-ssl.conf to specifiy intermediate certificates so you have to cat the files together. The first thing I did was download the CA root and intermediate/bundle files from Comodo so now I have two certificate files called: 

AddTrustExternalCARoot.crt
PositiveSSLCA2.crt

I then ran:

```
cat mail_domain_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > mail_domain_com_chained
```

And updated /usr/local/etc/dovecot/conf.d/10-ssl.conf as follows:

```
ssl_cert = </usr/local/openssl/certs/mail_domain_com_chained
```

I then restarted Dovecot and ran `openssl s_client -connect mail.domain.com:993` again but now I get an error saying my certificate it self signed!


```
Verify return code: 19 (self signed certificate in certificate chain)
```

Since I am out of ideas here, what do I need to resolve this error? I'm clearly doing something wrong!   

How do I get my trusted certificate from Comodo to work with Dovecot so that when I do a test it says that everything is ok and it knows it is a trusted certificate?

PS: I also tried: `cat mail_domain_com.crt PositiveSSLCA2.crt  > mail_domain_com_chained` but this didn't fix the issue.

PPS: I did read the Dovecot documentation but all it says is this:



> Chained SSL certificates
> 
> Put all the certificates in the ssl_cert file. For example when using a certificate signed by TDC the correct order is:
> 
> ...


----------



## xtaz (Apr 7, 2014)

Try including the trusted root CA list by doing `openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect mail:993`

OpenSSL has nothing to validate it against which is why it says it thinks it is self-signed. If you don't have that file it is installed from security/ca_root_nss


----------



## xy16644 (Apr 7, 2014)

Yeah, that was the issue. I didn't realise you had to tell openssl to use a root CA. Thanks!


----------

