[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL

Joseph Tam jtam.home at gmail.com
Sat Apr 19 01:29:38 UTC 2014


Charles Marcus <CMarcus at Media-Brokers.com> wrote:

> 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login:
> Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking:
> SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143
>
> Not a huge number, but enough to be concerning...
>
> Could this just be from cached junk from some clients, and they will
> resolve themselves over time?

Short answer: maybe.  I got these errors when I switched from a self-signed
to CA signed cert, and the client had an open mail session:

 	Feb 22 02:10:32 imap-login: Disconnected (no auth attempts in 0
 	secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS: SSL_read() failed:
 	error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
 	ca: SSL alert number 48, session=<w4Lm8vvypgCJUgmg>

Not quite the same as your's, but if you call the client up and ask them
to restart their mail client, I'm fairly confident these will go away,
as for my user.

You might get some weirdness if for some reason the client does not have
the intermediate CAs cached.  I ran into this problem with our certs --
some RH distributions did have the intermediate CA certs in its store.

Joseph Tam <jtam.home at gmail.com>


More information about the dovecot mailing list