Author Topic: Problem With Let's Encrypt Certificates Containing Alternative Domain Names  (Read 2820 times)

Offline pacija

  • Newbie
  • *
  • Posts: 1
Hi,

I'm using roundcube-1.3.1 with php70. Up until recently I was using roundcube to connect to TLS-enabled Postfix (SMTP) and Dovecot (IMAP), both of which were using certificates issued to common name mail.example.org. In this setup, the following config worked:

Code: [Select]
$config['default_host'] = 'tls://mail.example.org';
$config['imap_conn_options'] = array(
  'ssl' => array(
    'peer_name' => 'mail.example.org',
    'verify_peer' => true,
    'verify_depth' => 3,
    'cafile' => '/path/to/fullchain.pem',
  ),
);

However, after I switched to certificate issued to example.org which contains alternative domain mail.example.org, above config fails.

Roundcube error og:
Code: [Select]
[11-Oct-2017 12:06:30 Europe/Belgrade] PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/local/www/roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 1027

Dovecot log:
Code: [Select]
Oct 11 12:06:30 myserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=193.53.106.132, lip=193.53.106.132, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<kVjck0JblMDBNWqE>

I can make it work by setting
Code: [Select]
'verify_peer' => false ...but I'd rather not. I have also experimented with PHP SSL context options SNI_enabled and SNI_server_name to no avail.

Is this a known problem, or should roundcube work with alternative domain names in certificates?

Thank you in advance.