[Dovecot] TLS handshaking error: unknown ca
Ben Jordan
bjordan555 at gmail.com
Sat Jul 10 18:16:52 EEST 2010
I'm running Ubuntu 10.04, recently upgraded. My dovecot version is
1.2.9. My SSL/TLS authentication with dovecot from non-local IP's has
stopped working, and I can no longer access my mail securely. I have
changed all entries to refer to my server as "host". I am the only
user, and am OK with the a self-signed cert. When I try to connect
using Thunderbird, the certificate window says "unable to obtain
identification status for the given site". This action generates the
entry in /var/log/mail.log:
TLS handshaking: SSL_accept() failed: error:14094418:SSL
routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
I am using self-signed certificates, generated using:
openssl genrsa -out server.key 1024
openssl req -new -x509 -key server.key -out server.pem -days 1826
If I use openssl s_client -connect host:993 to connect, I get the
following output:
CONNECTED(00000003)
depth=0
/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
verify error:num=18:self signed certificate
verify return:1
depth=0
/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
verify return:1
---
Certificate chain
0
s:/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
i:/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdTCCAt6gAwIBAgIJAIMqhTeSqt7PMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNhbWJyaWRnZTEQMA4GA1UE
ChMHSGFydmFyZDEMMAoGA1UECxMDT0VCMQ8wDQYDVQQDEwZNQ1IyRDIxIzAhBgkq
hkiG9w0BCQEWFGJqb3JkYW41NTVAZ21haWwuY29tMB4XDTEwMDcxMDE0MjYyMFoX
DTE1MDcxMDE0MjYyMFowgYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJNQTESMBAG
A1UEBxMJQ2FtYnJpZGdlMRAwDgYDVQQKEwdIYXJ2YXJkMQwwCgYDVQQLEwNPRUIx
DzANBgNVBAMTBk1DUjJEMjEjMCEGCSqGSIb3DQEJARYUYmpvcmRhbjU1NUBnbWFp
bC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ8m09I2TR9J93lRzYvi
mvo7WoZsjEI9kJbJwrJo3xc662w5yLGiolkxvuul8TN0PaDcJsjTAKPuiU2hmYku
9OmCtGlWtkVGmUPCyUok97rC7N81vBdIwUPoMRI4AA1s/Ubu22QIRnnmB8H+BNfs
BqTA6E9q4cHUEhVlt3CMTk9tAgMBAAGjgewwgekwHQYDVR0OBBYEFFh0Xj1WtJmZ
ZUKijH/JqVgsF4KCMIG5BgNVHSMEgbEwga6AFFh0Xj1WtJmZZUKijH/JqVgsF4KC
oYGKpIGHMIGEMQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUExEjAQBgNVBAcTCUNh
bWJyaWRnZTEQMA4GA1UEChMHSGFydmFyZDEMMAoGA1UECxMDT0VCMQ8wDQYDVQQD
EwZNQ1IyRDIxIzAhBgkqhkiG9w0BCQEWFGJqb3JkYW41NTVAZ21haWwuY29tggkA
gyqFN5Kq3s8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQArUj++GxWm
b7hPaB9cBC6DP4uj6D1/xWRovcnaMhniR47Hrm1qVc6Rt6Lvn82KAsmBcmgc58W4
aV5h4tqqSeHh/TqBg3361qLp3DiOk08M66MbSDl1bHWG5te/JaxeiJLbfpuCg1xX
j8dK4ilp5neshaKozl/X+1Et71KESGuT0w==
-----END CERTIFICATE-----
subject=/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
issuer=/C=US/ST=MA/L=city/O=org/OU=unit/CN=host/emailAddress=bjordan555 at gmail.com
---
No client certificate CA names sent
---
SSL handshake has read 1453 bytes and written 316 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
CABB8909A462A3B6FB65AB556D5ABF6A632691BB81F8F994ED0C8098448FD3DE
Session-ID-ctx:
Master-Key:
BF53FCA25DEA893EFF8C152A99A62A304229C8FA811ACE757233326826543340EF1FC1F433F95B9505E823D5CF289793
Key-Arg : None
Start Time: 1278774437
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE
AUTH=PLAIN] Dovecot ready.
The output of dovecot -n is:
# 1.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-23-generic x86_64 Ubuntu 10.04 LTS
ssl_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mbox_write_locks: fcntl dotlock
auth default:
passdb:
driver: pam
userdb:
driver: passwd
More information about the dovecot
mailing list