I would expect the public cert to be imported as a "server" not an "auth"
The attached image shows that TBird wants an httpS url for a webserver, for the source.
Ages ago, I think it prompted for "do you want to trust this new cert" and YES added it (assuming that is the public key) to the server list. A bit confused by this.
<see attached thunderbird image> On 4/30/20 2:41 PM, Aki Tuomi wrote:
I see. You need to import the cert into thundebird's trusted ca certs. AkiOn 30/04/2020 21:36 hanas...@gmail.com <mailto:hanas...@gmail.com> <hanas...@gmail.com <mailto:hanas...@gmail.com>> wrote:Hello, This is a selfsigned cert. Both of the below methods were used. May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes? The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot. Separately, what are your thoughts as to why evolution works and thunderbird does not? Thank you, ==1 openssl genrsa -out key.pem 2048 openssl req -new -sha512 -key key.pem -out csr.csr openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo ==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem On 4/30/20 8:11 AM, Aki Tuomi wrote:On 30/04/2020 14:49 hanas...@gmail.com <mailto:hanas...@gmail.com> <mailto:hanas...@gmail.com <mailto:hanas...@gmail.com>> <hanas...@gmail.com <mailto:hanas...@gmail.com> <mailto:hanas...@gmail.com <mailto:hanas...@gmail.com>>> wrote:>> >> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however >> Evolution, on the exact same system, is working fine with the same >> accounts. Tried recreating the Dovecot cert and also the thunderbird >> accounts from scratch. The OpenSSL raw client works fine as well. >> >> Would someone also confirm the openssl commands to create a selfsigned >> cert for dovecot imaps. They cert created does work with evolution; >> just not thunderbird. >> >> Thoughts? >> >> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad >> certificate: SSL alert number 42>> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in>> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad >> certificate: SSL alert number 42, session=<--> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: >> before SSL initialization>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> before SSL initialization>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:>> before SSL initialization>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> before SSL initialization>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> SSLv3/TLS read client hello>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> SSLv3/TLS write server hello>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> SSLv3/TLS write change cipher spec>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> TLSv1.3 write encrypted extensions>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> SSLv3/TLS write certificate>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> TLSv1.3 write server certificate verify>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> SSLv3/TLS write finished>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:>> TLSv1.3 early data>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:>> TLSv1.3 early data>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:>> TLSv1.3 early data>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:>> TLSv1.3 early data>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:>> TLSv1.3 early data >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, >> ret=554: fatal bad certificate>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:>> error >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad >> certificate: SSL alert number 42 >> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth >> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: >> SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 >> alert bad certificate: SSL alert number 42, session=<---> >> >> reference>> http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849> >> <http://forums.debian.net/viewtopic.php?f=5&t=145849 <http://forums.debian.net/viewtopic.php?f=5&t=145849>>You are missing intermediate certs from your certfile. Put them after cert in order towards root. --- Aki Tuomi--- Aki Tuomi
<<attachment: hanasaki.vcf>>