Re: Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK

Thu, 30 Apr 2020 11:45:14 -0700

For internal use I've installed the private CA cert on whatever clients I'm using (Thunderbird, browsers). That way you don't need to make exceptions every time a certificate changes. 

Good luck,
Reio

On 30.04.2020 21:36, hanas...@gmail.com wrote:

Hello,

This is a selfsigned cert.  Both of the below methods were used.
May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes?
The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot.
Separately, what are your thoughts as to why evolution works and thunderbird does not? 

Thank you,

==1
openssl genrsa -out key.pem 2048
openssl req -new -sha512 -key key.pem -out csr.csr
openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem 
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo

==2
openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem 


On 4/30/20 8:11 AM, Aki Tuomi wrote:
On 30/04/2020 14:49 hanas...@gmail.com <mailto:hanas...@gmail.com> <hanas...@gmail.com <mailto:hanas...@gmail.com>> wrote: 


Recently thunderbird and Dovecot IMAPS cannot agree on SSL however
Evolution, on the exact same system, is working fine with the same
accounts. Tried recreating the Dovecot cert and also the thunderbird
accounts from scratch. The OpenSSL raw client works fine as well.

Would someone also confirm the openssl commands to create a selfsigned
cert for dovecot imaps. They cert created does work with evolution;
just not thunderbird.

Thoughts?

Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate: SSL alert number 42
Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 
0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate: SSL alert number 42, session=<-->
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS read client hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS write server hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS write change cipher spec
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
TLSv1.3 write encrypted extensions
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS write certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
TLSv1.3 write server certificate verify
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS write finished
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,
ret=554: fatal bad certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: 
error
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate: SSL alert number 42
Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:
SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad certificate: SSL alert number 42, session=<--->

reference
http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849>
You are missing intermediate certs from your certfile. Put them after cert in order towards root. 

---
Aki Tuomi

Reply via email to