0

Since changing the certificate for my cyrus instance I get the following warning whenever I sign with cyradm:

cyradm --user cyrus --authz cyrus localhost
verify error:num=19:self signed certificate in certificate chain

which is an OpenSSL error that also shows up when connecting to the server with openssl s_client -connect FQDN (I've replace my subject/certificate name with FQDN and omitted the certificate block for posting):

CONNECTED(00000003)
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=FQDN
   i:/C=NL/O=TERENA/CN=TERENA SSL CA
 1 s:/C=NL/O=TERENA/CN=TERENA SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
---
Server certificate
-----BEGIN CERTIFICATE-----
(omitted)
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=FQDN
issuer=/C=NL/O=TERENA/CN=TERENA SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4171 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 88FC7D094D2B0A0EAD11ADBAB0F4605CFF8B72DA0079C3C6E47939018C4CA3D4
    Session-ID-ctx: 
    Master-Key: A88EF226C587C6F9AE43EC7D04D6BC462E657ED851B6FC336940898A57C31E55BCFFACDFFEDBAFB3C65A024F27EB1006
    Key-Arg   : None
    Start Time: 1431561482
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE AUTH=LOGIN AUTH=PLAIN SASL-IR] FQDN Cyrus IMAP v2.4.12-Debian-2.4.12-2 server ready

This is from my /etc/imapd.conf:

tls_ca_path:            /etc/ssl/certs
tls_ca_file:            /etc/ssl/certs/TERENA_SSL_CA.pem
tls_cert_file:          /etc/ssl/certs/mail.pem
tls_key_file:           /etc/ssl/private/mail.key

I got the TERENA CA cert from https://www.terena.org/activities/tcs/repository/, Section "TCS CA certificates (SHA1)/ TERENA SSL CA (PEM)". Checking the file with less shows there is only one certificate in the file, so that cannot be the reason for including the root cert. The root cert in question "UTN_USERFirst_Hardware_Root_CA.pem" is part of the ca-certificates package which is installed on the server.

I have no clue why cyrus insists on delivering the root cert of the chain and then complaining about it.

Update 1:

  • The system is running Ubuntu 12.04.
  • Permissions of the intermediate CA are 644, permissions of leaf are 444.
  • ls -lah /etc/ssl/certs/cyrus* does nothing, there is no such folder.

  • openssl x509 -in /etc/ssl/certs/cyrus-imapd-ca.pem -noout -text |grep Issuer, with file path to my cert has:

    Issuer: C=NL, O=TERENA, CN=TERENA SSL CA
        CA Issuers - URI:http://crt.tcs.terena.org/TERENASSLCA.crt
GhostLyrics
  • 101
  • 4

1 Answers1

0

Probably the error message is mis-leading - I also get this error since I changed the servername setting in imapd.conf (Debian 8.2/stable).

I have set up two twin-like servers, std install, using an intermediate cert from RapidSSL. Both run cyrus-imapd with absolutely identical setup (I compared the config files with diff to make sure). Just b/c I'm pedantic, I changed the servername in imapd.conf to the same CNAME on both servers - one is master, the other should become a replica server for fail-over, hence the same name. This also changes the AUTH realm of SASL, of course. While on srv1 I get the error 19 you observed also when using the cyrus uid with standard realm (plain hostname), on srv2 I get another error (with identical setup, but a different canonical domain name), namely this one:

Login failed: authentication failure at /usr/lib/x86_64-linux-gnu/perl5/5.20/Cyrus/IMAP/Admin.pm line 120.

Funny, isn't it? If I uncomment servername in imapd.conf on first or second server, everything works fine without any error. My solution was to add a cyrus SASL user with the realm servername and everything works fine again. The "self signed certificate" error disappeared.

After reading your question I did some more tests: If I set tls_ca_path: /tmp/ and tls_ca_file: to the intermediate cert only, Cyrus still outputs the chained root CA certificate. BUT: It doesn't trigger this error when either uncommenting servername or when adding a SASL user cyrus with same realm as servername.

Pretty weird. Since Cyrus outputs the root CA cert anyway, I'm sure it is not the cause for this error message. I do not get it, neither on the second server, nor on the master with correct SASL realm setting! In my case it was the wrong realm, your mileage may vary. So the err 19 message is in no way related to the root CA cert.

Hope this helps, lbc (yet another Perl hater :-)

LBC
  • 91
  • 1
  • 1
  • 6