https://stackoverflow.com/questions/61077885/add-thunderbird-security-exception-for-self-signed-ssl-certificate
Perhaps this will help you? Aki > On 04/05/2020 19:03 hanas...@gmail.com <hanas...@gmail.com> wrote: > > > == resend to list = requested by list owner > On 4/30/20 2:47 PM, hanas...@gmail.com wrote: > > > I would expect the public cert to be imported as a "server" not an "auth" > > The attached image shows that TBird wants an httpS url for a webserver, for > > the source. > > Ages ago, I think it prompted for "do you want to trust this new cert" and > > YES added it (assuming that is the public key) to the server list. A bit > > confused by this. > > > > <see attached thunderbird image> > > > > On 4/30/20 2:41 PM, Aki Tuomi wrote: > > > > > I see. You need to import the cert into thundebird's trusted ca certs. > > > > > > > > > Aki > > > > On 30/04/2020 21:36 hanas...@gmail.com <hanas...@gmail.com> wrote: > > > > > > > > > > > > > > > > > > > > Hello, > > > > > > > > > > > > This is a selfsigned cert. Both of the below methods were used. > > > > > > > > > > > > May I ask for 1. pointer to info setting up "intermediate certs" and > > > > where the certfile goes? > > > > > > > > > > > > The objective is to generate a self-signed cert and use it for just > > > > internal use with IMAPS dovecot. > > > > > > > > > > > > Separately, what are your thoughts as to why evolution works and > > > > thunderbird does not? > > > > > > > > > > > > Thank you, > > > > > > > > > > > > ==1 > > > > > > > > > > > > openssl genrsa -out key.pem 2048 > > > > > > > > > > > > openssl req -new -sha512 -key key.pem -out csr.csr > > > > > > > > > > > > openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out > > > > certificate.pem > > > > openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo > > > > > > > > > > > > ==2 > > > > openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout > > > > mykey.key -out mycert.pem > > > > > > > > > > > > > > > > > > > > On 4/30/20 8:11 AM, Aki Tuomi wrote: > > > > > > On 30/04/2020 14:49 hanas...@gmail.com <mailto:hanas...@gmail.com> > > > > > > <hanas...@gmail.com <mailto:hanas...@gmail.com>> wrote: > > > > >> > > > > >> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however > > > > >> Evolution, on the exact same system, is working fine with the same > > > > >> accounts. Tried recreating the Dovecot cert and also the thunderbird > > > > >> accounts from scratch. The OpenSSL raw client works fine as well. > > > > >> > > > > >> Would someone also confirm the openssl commands to create a > > > > >> selfsigned > > > > >> cert for dovecot imaps. They cert created does work with evolution; > > > > >> just not thunderbird. > > > > >> > > > > >> Thoughts? > > > > >> > > > > >> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() > > > > >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad > > > > >> certificate: SSL alert number 42 > > > > >> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth > > > > >> attempts in > > > > >> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() > > > > >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad > > > > >> certificate: SSL alert number 42, session=<--> > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: > > > > >> before SSL initialization > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> before SSL initialization > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, > > > > >> ret=-1: > > > > >> before SSL initialization > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> before SSL initialization > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> SSLv3/TLS read client hello > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> SSLv3/TLS write server hello > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> SSLv3/TLS write change cipher spec > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> TLSv1.3 write encrypted extensions > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> SSLv3/TLS write certificate > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> TLSv1.3 write server certificate verify > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> SSLv3/TLS write finished > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, > > > > >> ret=1: > > > > >> TLSv1.3 early data > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, > > > > >> ret=-1: > > > > >> TLSv1.3 early data > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, > > > > >> ret=-1: > > > > >> TLSv1.3 early data > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, > > > > >> ret=-1: > > > > >> TLSv1.3 early data > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, > > > > >> ret=-1: > > > > >> TLSv1.3 early data > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: > > > > >> where=0x4004, > > > > >> ret=554: fatal bad certificate > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, > > > > >> ret=-1: > > > > >> error > > > > >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() > > > > >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad > > > > >> certificate: SSL alert number 42 > > > > >> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth > > > > >> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: > > > > >> SSL_accept() failed: error:14094412:SSL > > > > >> routines:ssl3_read_bytes:sslv3 > > > > >> alert bad certificate: SSL alert number 42, session=<---> > > > > >> > > > > >> reference > > > > >> http://forums.debian.net/viewtopic.php?f=5&t=145849 > > > > >> <http://forums.debian.net/viewtopic.php?f=5&t=145849> > > > > > You are missing intermediate certs from your certfile. Put them after > > > > > cert in order towards root. > > > > > > > > > > > > > > > --- > > > > > Aki Tuomi > > > > > > > > > --- > > > Aki Tuomi > > >