[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

Charles Marcus CMarcus at Media-Brokers.com
Fri Apr 18 19:57:13 UTC 2014


Thanks Markus and Oscar...

On 4/18/2014 3:29 PM, Markus Schönhaber <dovecot at list-post.mks-mail.de> 
wrote:
> Aside from the missing indirection (use ... = </etc/... as you did 
> before) the documentation indicates that ssl_ca is only used for 
> client certificate verification and has nothing to do with the 
> certificate chain of your server certificate.

Yeah, the < was in the config, dunno how it got stripped from my post - 
or maybe I manually typed those - yeah, I think I did...

> Instead, cat your new server certificate together with the CA 
> certificates into one file and point ssl_cert to this file (see 
> "Chained SSL certificates" in 
> http://wiki2.dovecot.org/SSL/DovecotConfiguration ). 

Ok, did that and made the config change and restarted dovecot.

Everything seems to be working, BUT... I'm now seeing some of these 
errors, that were not showing up in the logs before:

2014-04-18T15:42:24-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() 
failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate: SSL alert number 42, rip=24.126.163.180, lport=143
2014-04-18T15:42:34-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS: SSL_read() 
failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate: SSL alert number 42, rip=98.66.176.115, lport=143

!2 total in the last 25 minutes since flipping the switch.

and there have been two of these:

2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login: 
Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking: 
SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 
alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143

Not a huge number, but enough to be concerning...

Could this just be from cached junk from some clients, and they will 
resolve themselves over time?

-- 

Best regards,

Charles Marcus
I.T. Director
Media Brokers International, Inc.
678.514.6224 | 678.514.6299 fax



More information about the dovecot mailing list