547370 – net-mail/dovecot: generated certificates do not inherit defaults from /etc/ssl/openssl.cnf

Bug 547370 - net-mail/dovecot: generated certificates do not inherit defaults from /etc/ssl/openssl.cnf

Summary: net-mail/dovecot: generated certificates do not inherit defaults from /etc/ss...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	All Linux

Importance:	Normal major with 1 vote (vote)
Assignee:	Eray Aslan

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-04-22 07:33 UTC by Martin Mokrejš
Modified:	2015-04-26 18:18 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Mokrejš 2015-04-22 07:33:21 UTC

My certificates expired and I had to figure out how to re-create them. In brief, uninstallation and removal of /etc/ssl/dovecot does not work with any of the ebuilds tested (2.2.9, 2.2.13, 2.2.16). In all cases the generated self-signed certificate was with default values (wrong locality but also rather weak RSA 1024 bit cipher):

# openssl s_client -connect pop.mydomain.com:pop3s
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Santa Barbara, O = Dovecot IMAP Server, OU = For Testing Purposes Only, CN = localhost, emailAddress = root@localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Santa Barbara, O = Dovecot IMAP Server, OU = For Testing Purposes Only, CN = localhost, emailAddress = root@localhost
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = California, L = Santa Barbara, O = Dovecot IMAP Server, OU = For Testing Purposes Only, CN = localhost, emailAddress = root@localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Santa Barbara/O=Dovecot IMAP Server/OU=For Testing Purposes Only/CN=localhost/emailAddress=root@localhost
   i:/C=US/ST=California/L=Santa Barbara/O=Dovecot IMAP Server/OU=For Testing Purposes Only/CN=localhost CA/emailAddress=root@localhost
---
...


I suspect that happens because the certificates are created under sandbox.




Previous ebuilds installed /etc/dovecot/dovecot-openssl.cnf. The file is gone now.

There used to be symlinks from /etc/ssl/dovecot/* files pointing to /etc/ssl/private/ contents.

The ebuild installs a shellscript said to be used for certificate regeneration here under /usr/share/doc/dovecot-2.2.16/mkcert.sh.bz2 but it used to be installed as /etc/dovecot/mkcert.sh .

I second what was said in bug #163851 that Gentoo should properly fix the paths everywhere if it is installing files into non-official directories. It is difficult to follow any 3rd-party tutorial if the common tools do not fetch values from proper files.

I would like to see that Gentoo installs functional /etc/dovecot/mkcert.sh 
which has been used for creation of the certificate. Currently, it does not work. Even if I uncompress the mkcert.sh.bz2 file.

pkg_postinst() should be more informative about re-generation of certificates.

Finally, if I have existing /etc/ssl/dovecot/server.key file ebuild claims it will skipp re-generation of keys but the emerge still show it does create the keys. It just does no install them?

BTW, there used to be easy-rsa subdirectory from openssl example directories but those are gone from Gentoo as well.