[Dovecot] TLS handshaking error: unknown ca

[Ben Jordan]

I'm running Ubuntu 10.04, recently upgraded. My dovecot version is 
1.2.9. My SSL/TLS authentication with dovecot from non-local IP's has 
stopped working, and I can no longer access my mail securely.  I have 
changed all entries to refer to my server as "host".  I am the only 
user, and am OK with the a self-signed cert.  When I try to connect 
using Thunderbird, the certificate window says "unable to obtain 
identification status for the given site".  This action generates the 
entry in /var/log/mail.log:

TLS handshaking: SSL_accept() failed: error:14094418:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

I am using self-signed certificates, generated using:

openssl genrsa -out server.key 1024
openssl req -new -x509 -key server.key -out server.pem -days 1826

If I use openssl s_client -connect host:993 to connect, I get the 
following output:

CONNECTED(00000003)
depth=0 
/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
verify error:num=18:self signed certificate
verify return:1
depth=0 
/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
verify return:1
---
Certificate chain
  0 
s:/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
    
i:/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdTCCAt6gAwIBAgIJAIMqhTeSqt7PMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNhbWJyaWRnZTEQMA4GA1UE
ChMHSGFydmFyZDEMMAoGA1UECxMDT0VCMQ8wDQYDVQQDEwZNQ1IyRDIxIzAhBgkq
hkiG9w0BCQEWFGJqb3JkYW41NTVAZ21haWwuY29tMB4XDTEwMDcxMDE0MjYyMFoX
DTE1MDcxMDE0MjYyMFowgYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTESMBAG
A1UEBxMJQ2FtYnJpZGdlMRAwDgYDVQQKEwdIYXJ2YXJkMQwwCgYDVQQLEwNPRUIx
DzANBgNVBAMTBk1DUjJEMjEjMCEGCSqGSIb3DQEJARYUYmpvcmRhbjU1NUBnbWFp
bC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ8m09I2TR9J93lRzYvi
mvo7WoZsjEI9kJbJwrJo3xc662w5yLGiolkxvuul8TN0PaDcJsjTAKPuiU2hmYku
9OmCtGlWtkVGmUPCyUok97rC7N81vBdIwUPoMRI4AA1s/Ubu22QIRnnmB8H+BNfs
BqTA6E9q4cHUEhVlt3CMTk9tAgMBAAGjgewwgekwHQYDVR0OBBYEFFh0Xj1WtJmZ
ZUKijH/JqVgsF4KCMIG5BgNVHSMEgbEwga6AFFh0Xj1WtJmZZUKijH/JqVgsF4KC
oYGKpIGHMIGEMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNh
bWJyaWRnZTEQMA4GA1UEChMHSGFydmFyZDEMMAoGA1UECxMDT0VCMQ8wDQYDVQQD
EwZNQ1IyRDIxIzAhBgkqhkiG9w0BCQEWFGJqb3JkYW41NTVAZ21haWwuY29tggkA
gyqFN5Kq3s8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQArUj++GxWm
b7hPaB9cBC6DP4uj6D1/xWRovcnaMhniR47Hrm1qVc6Rt6Lvn82KAsmBcmgc58W4
aV5h4tqqSeHh/TqBg3361qLp3DiOk08M66MbSDl1bHWG5te/JaxeiJLbfpuCg1xX
j8dK4ilp5neshaKozl/X+1Et71KESGuT0w==
-----END CERTIFICATE-----
subject=/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
issuer=/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
---
No client certificate CA names sent
---
SSL handshake has read 1453 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: 
CABB8909A462A3B6FB65AB556D5ABF6A632691BB81F8F994ED0C8098448FD3DE
     Session-ID-ctx:
     Master-Key: 
BF53FCA25DEA893EFF8C152A99A62A304229C8FA811ACE757233326826543340EF1FC1F433F95B9505E823D5CF289793
     Key-Arg   : None
     Start Time: 1278774437
     Timeout   : 300 (sec)
     Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE 
AUTH=PLAIN] Dovecot ready.

The output of dovecot -n is:

# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-23-generic x86_64 Ubuntu 10.04 LTS
ssl_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mbox_write_locks: fcntl dotlock
auth default:
   passdb:
     driver: pam
   userdb:
     driver: passwd