Since changing the certificate for my cyrus instance I get the following warning whenever I sign with cyradm:
cyradm --user cyrus --authz cyrus localhost
verify error:num=19:self signed certificate in certificate chain
which is an OpenSSL error that also shows up when connecting to the server with openssl s_client -connect FQDN
(I've replace my subject/certificate name with FQDN and omitted the certificate block for posting):
CONNECTED(00000003)
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=FQDN
i:/C=NL/O=TERENA/CN=TERENA SSL CA
1 s:/C=NL/O=TERENA/CN=TERENA SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
Server certificate
-----BEGIN CERTIFICATE-----
(omitted)
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=FQDN
issuer=/C=NL/O=TERENA/CN=TERENA SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4171 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 88FC7D094D2B0A0EAD11ADBAB0F4605CFF8B72DA0079C3C6E47939018C4CA3D4
Session-ID-ctx:
Master-Key: A88EF226C587C6F9AE43EC7D04D6BC462E657ED851B6FC336940898A57C31E55BCFFACDFFEDBAFB3C65A024F27EB1006
Key-Arg : None
Start Time: 1431561482
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=LOGIN AUTH=PLAIN SASL-IR] FQDN Cyrus IMAP v2.4.12-Debian-2.4.12-2 server ready
This is from my /etc/imapd.conf
:
tls_ca_path: /etc/ssl/certs
tls_ca_file: /etc/ssl/certs/TERENA_SSL_CA.pem
tls_cert_file: /etc/ssl/certs/mail.pem
tls_key_file: /etc/ssl/private/mail.key
I got the TERENA CA cert from https://www.terena.org/activities/tcs/repository/, Section "TCS CA certificates (SHA1)/ TERENA SSL CA (PEM)". Checking the file with less
shows there is only one certificate in the file, so that cannot be the reason for including the root cert. The root cert in question "UTN_USERFirst_Hardware_Root_CA.pem" is part of the ca-certificates
package which is installed on the server.
I have no clue why cyrus insists on delivering the root cert of the chain and then complaining about it.
Update 1:
- The system is running Ubuntu 12.04.
- Permissions of the intermediate CA are 644, permissions of leaf are 444.
ls -lah /etc/ssl/certs/cyrus*
does nothing, there is no such folder.openssl x509 -in /etc/ssl/certs/cyrus-imapd-ca.pem -noout -text |grep Issuer
, with file path to my cert has:Issuer: C=NL, O=TERENA, CN=TERENA SSL CA CA Issuers - URI:http://crt.tcs.terena.org/TERENASSLCA.crt