Dovecot, self-signed certificates and unknown CA problem

Quick tip if you are trying to deploy Dovecot on RHEL6 or CentOS6 and get an error message about an ‘unknown CA’ like this:

The reason that this error occurs is that Dovecot can not verify a client certificate because it doesn’t know about the self-signed CA certificate because it can not find the self-signed CA certificate. It’s a puzzling error, especially when the CA certificate is present in the Dovecot config:

This happens because Dovecot can not find the CA certificate in the /etc/pki/dovecot/certs directory. Note the directory. The Dovecot RPM on EL6 comes pre-packaged with two directories: /etc/pki/dovecot/certs/ and /etc/pki/dovecot/private/. But if you put a self-signed CA certificate in /etc/pki/dovecot/certs/ Dovecot can not find it because it is looking elsewhere for the CA certificate.

The solution is to put the self-signed CA certificate in /etc/pki/tls/certs/.

2 thoughts on “Dovecot, self-signed certificates and unknown CA problem”

  1. Hi Lorenzo,

    I’m glad you got it working. When I had this problem it also took me a long time to figure out. IIRC I used “strace dovecot” and only then I saw in which directory it was looking for the CA certificate.

    Best,
    Patrick

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.