Re: SSL errors after certificate renewal
On 2021-09-07, Amol Kulkarni wrote: > After I replaced my certificate with a new one yesterday, I'm seeing some > ssl related errors. There are successful pop/imap logins using SSL also. So > I think the certificate in itself is fine. No user has complained as yet, > so I don't know for sure. However the count of errors has surely increased > after installing the new certificate. > There are 2 errors seen : > dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, > rip=, lip >=, TLS handshaking: SSL_accept() failed: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number > 46, session=<9m0AnVnL > 2pHf4hso> > > > dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, > rip=, lip >=, TLS: SSL_read() failed: error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, > session= > > Kindly help with some pointers. If you mention the hostname we can check the actual problem, otherwise we have to guess. Certificates are usually issued from an intermediate, not directly from a CA. Servers need to be configured to send that intermediate. Some (mostly GUI) clients will fetch a missing intermediate automatically but most mail clients won't. The most common problem associated with changing cert is to forget to include the intermediate in the server config. Check with this: openssl s_client -starttls imap -servername $hostname -connect $hostname:143 The chain should normally look something like this for a letsencrypt cert; other CAs will usually also have 3 entries but the names will differ --- Certificate chain 0 s:/CN=$hostname i:/C=US/O=Let's Encrypt/CN=R3 1 s:/C=US/O=Let's Encrypt/CN=R3 i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- The final "i" line needs to be in the root CA store on the client machine. The file used for "ssl_cert" in Dovecot (and same for most other services) needs to contain both the server certificate and the intermediate. Commercial CAs usually provide this in a zip or similar file with the cert. ACME clients for letsencrypt etc will usually download it automatically or can be configured to do so (certbot writes both to a "fullchain.pem" file which can be used directly). If that doesn't help, post the hostname for a proper analysis.
Re: SSL errors after certificate renewal
> On 07/09/2021 20:25 Amol Kulkarni wrote: > > > Hello, > > > After I replaced my certificate with a new one yesterday, I'm seeing some ssl > related errors. There are successful pop/imap logins using SSL also. So I > think the certificate in itself is fine. No user has complained as yet, so I > don't know for sure. However the count of errors has surely increased after > installing the new certificate. > There are 2 errors seen : > dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, > rip=, lip > =, TLS handshaking: SSL_accept() failed: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number > 46, session=<9m0AnVnL > 2pHf4hso> > > > dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, > rip=, lip > =, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 > alert bad certificate: SSL alert number 42, session= > > Kindly help with some pointers. > > Thanks and Regards, > Amol This is caused by not including intermediate certificates with ssl_cert. If you are using LE or similar service, make sure you use the *fullchain* certificate for ssl_cert. Aki
Re: SSL errors after certificate renewal
On 2021-09-07, N wrote: > Separate subject, but couldn't help but notice, SSL3 is being used? > Wasn't SSL3 retired because of POODLE exploits? Can someone more > knowledgeable confirm? "sslv3 alert certificate unknown" does not mean that SSLv3 is used.
Re: SSL errors after certificate renewal
On 07.09.21 19:25, Amol Kulkarni wrote: > After I replaced my certificate with a new one yesterday, I'm seeing some > ssl related errors. [...] > dovecot: imap-login: Disconnected (no auth attempts in 1 secs): [...] > dovecot: imap-login: Disconnected (no auth attempts in 0 secs): [...] These log messages indicate that it was the client who stopped doing the full login procedure. My first guess would be that a majority of those clients want their user/admin to confirm trust in the new server cert before they "leak" authentication tokens (user+auth) to it. On 07.09.21 21:16, N wrote: > Separate subject, but couldn't help but notice, SSL3 is being used? SSLv3 and at least the earlier versions of TLS share a lot of underlying cryptalgorithms, so the log messages (from double-used code) still *say* "SSL3". (If you want to be *sure*, run a scanner like sslyze against the server.) Regards, -- Jochen Bern Systemingenieur Binect GmbH smime.p7s Description: S/MIME Cryptographic Signature
Re: SSL errors after certificate renewal
You'd need to include alot more information if you're looking for resolution. 1. How are you renewing your certs. Are you re-keying when you renew? 2. What is your ssl_cert? Is it a single cert or a chain? I'd set ssl_min_protocol = TLSv1.1 at the very least, probably TLSv1.2 if your users clients can handle it If you're looking for pointers, I'd try googling the errors. https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s/806175 https://community.letsencrypt.org/t/mobile-clients-ssl-alert-number-46/124608/4 On 9/7/21 2:24 PM, Marc wrote: nothing comenting about more knowledgable, but ssl3 nobody uses. it is even adviced not to use tls 1.1 and below Separate subject, but couldn't help but notice, SSL3 is being used? Wasn't SSL3 retired because of POODLE exploits? Can someone more knowledgeable confirm? On 9/7/21 11:05, Steve Dondley wrote: On 2021-09-07 01:25 PM, Amol Kulkarni wrote: Hello, After I replaced my certificate with a new one yesterday, I'm seeing some ssl related errors. There are successful pop/imap logins using SSL also. So I think the certificate in itself is fine. No user has complained as yet, so I don't know for sure. However the count of errors has surely increased after installing the new certificate. There are 2 errors seen : dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=, lip =, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46, session=<9m0AnVnL 2pHf4hso> dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=, lip =, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session= Kindly help with some pointers. Thanks and Regards, Amol I assume you tried restarting dovecot, but just in case... -- Ben Burk BURK.TECH System Administrator
RE: SSL errors after certificate renewal
nothing comenting about more knowledgable, but ssl3 nobody uses. it is even adviced not to use tls 1.1 and below > Separate subject, but couldn't help but notice, SSL3 is being used? > Wasn't SSL3 retired because of POODLE exploits? Can someone more > knowledgeable confirm? > > > On 9/7/21 11:05, Steve Dondley wrote: > > > On 2021-09-07 01:25 PM, Amol Kulkarni wrote: > > Hello, > > > After I replaced my certificate with a new one yesterday, I'm > seeing some ssl related errors. There are successful pop/imap logins > using SSL also. So I think the certificate in itself is fine. No user > has complained as yet, so I don't know for sure. However the count of > errors has surely increased after installing the new certificate. > There are 2 errors seen : > dovecot: imap-login: Disconnected (no auth attempts in 1 > secs): user=<>, rip=, lip > =, TLS handshaking: SSL_accept() failed: error:14094416:SSL > routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert > number 46, session=<9m0AnVnL > 2pHf4hso> > > > dovecot: imap-login: Disconnected (no auth attempts in 0 > secs): user=<>, rip=, lip > =, TLS: SSL_read() failed: error:14094412:SSL > routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number > 42, session= > > Kindly help with some pointers. > > Thanks and Regards, > Amol > > I assume you tried restarting dovecot, but just in case...
Re: SSL errors after certificate renewal
Separate subject, but couldn't help but notice, SSL3 is being used? Wasn't SSL3 retired because of POODLE exploits? Can someone more knowledgeable confirm? On 9/7/21 11:05, Steve Dondley wrote: On 2021-09-07 01:25 PM, Amol Kulkarni wrote: Hello, After I replaced my certificate with a new one yesterday, I'm seeing some ssl related errors. There are successful pop/imap logins using SSL also. So I think the certificate in itself is fine. No user has complained as yet, so I don't know for sure. However the count of errors has surely increased after installing the new certificate. There are 2 errors seen : dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=, lip =, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46, session=<9m0AnVnL 2pHf4hso> dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=, lip =, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session= Kindly help with some pointers. Thanks and Regards, Amol I assume you tried restarting dovecot, but just in case...
Re: SSL errors after certificate renewal
On 2021-09-07 01:25 PM, Amol Kulkarni wrote: Hello, After I replaced my certificate with a new one yesterday, I'm seeing some ssl related errors. There are successful pop/imap logins using SSL also. So I think the certificate in itself is fine. No user has complained as yet, so I don't know for sure. However the count of errors has surely increased after installing the new certificate. There are 2 errors seen : dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=, lip =, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46, session=<9m0AnVnL 2pHf4hso> dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=, lip =, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session= Kindly help with some pointers. Thanks and Regards, Amol I assume you tried restarting dovecot, but just in case...