The file you are asking about as /etc/Ppi? That file is the roundcube configuration file--> config.inc.php:
// IMAP socket context options // See http://php.net/manual/en/context.ssl.php // The example below enables server certificate validation $config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, 'verify_depth' => 3, 'cafile' => '/etc/pki/tls/certs/combined.pem', ), );
If I understand ssl correctly I don't see the point to putting fullchain.pem letsencrypt there, because of the following. Your browser has the Root certificates installed, a php application does not. So when
you go to a webpage using letsencrypt certificates . You will see something like this:
DST Root CA X2 --> Root Certificate in browser
Let's encrypt Authority X3 -->
webmail.yourdomain.com --> your certificate
So the web browser uses the Root Certificate to verify the chain of certificates to be valid. As far as I know a php application has no way knowing if the service it's connecting to is using a valid ssl chain, I don't know enough about php to be sure about this but sounds correct. If I am wrong about this someone may correct me about this and explain it to me how this works in php. In the case of roundcube connection to an imap server or smtp server:
$config['default_host'] = 'ssl://imap.%d';
$config['smtp_server'] = 'tls://smtp.%d';
You have said you have the location of your cafile pointing to the fullchain letsencrypt file, it may see it as valid but as far as I know the Root certificates should be used in using to validate the chain. Which are defined in the ca bundles that come with the OS. That's why I have fullchain in my dovecot configuration and combined.pem(ca-bundle.trust.crt and ca-bundle.crt) file in my roundcube configuration, since roundcube can validate that way if the chain of the imap server is valid.
The way you have it works for Apache because Apache is the server, and the client being a web-browser checks the chain via the Root certificates in the browser. In case of roundcube connecting to an imap or smtp server, roundcube is acting as a client to the smtp and imap server and has to validate the certificates it's receiving from them via the Root Certificates and the fullchain.pem. So in short if you are the server you have to have the full chain so that a client can validate the server's certificate via the Root Certificates, which are installed in the browsers, and in cabundles on the OS, and I think java uses keystore to store certificate chains, Root certificates, etc.
On 03/03/2018 12:04 AM, LuKreme wrote:
I have much the same, only with a path pointing to the fullchain.pem file from LE. I suspect it is not readable by the http server, so how are you getting that /etc/Ppi file generated, since it is not the same path as you show in dovecot?
I tried linking to the fullchain.pem, but I haven't tried making a local copy for Roundcube yet.
The paths to the certs work fine for https via Apache.