Problem with Let's Encrypt Certificate

Bastian Sebode b.sebode at linet-services.de
Fri Feb 17 16:58:08 UTC 2017 

Hello Folks,

my StartCom SSL-Certificate expires soon and so I wanted to switch to
Let's Encrypt Certificates instead. Unfortunatelly Thunderbird seems not
to like it, although all -tested- other Clients work without any problems.

When I connect with Thunderbird it sends an "Encrypted Alert" directly
after the TLS handshake although Dovecot wants to continue the session.

In the Dovecot Log it says:
Feb 17 17:27:17 imap-login: Debug: SSL: where=0x20, ret=1: SSL
negotiation finished successfully [82.100.242.26]
Feb 17 17:27:17 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
negotiation finished successfully [82.100.242.26]
Feb 17 17:27:17 imap-login: Warning: SSL alert: where=0x4004, ret=554:
fatal bad certificate [82.100.242.26]

But the certificate is okay, cause it works with other Mailclients and
openssl also says so. What certificate is Thunderbird complaining about?

Thunderbird says something like "There's no supported authentication
method". I don't use any Certificates for Client Authentication, neither
in Dovecot nor in Thunderbird. When I do, it fails the same way.

Weirdly my friend uses the same Dovecot Version with Let's Encrypt on
his Server and it works with Thunderbird without any flaws. Mine fails
the same way in his Thunderbird and also in a fresh installation.

After two weeks of investigating I still have no clue why it behaves
like this.

I uploaded two Wireshark tracefiles, further logs and dovecot -n, may be
someone sees any possible reasons for this weird behavior or has any
further tips on solving this issue.
https://sebode-online.de/dovecot-letsencrypt/

Every hint is highly appreciated!

Best Regards
Bastian

-- 
Bastian Sebode
Fachinformatiker Systemintegration

LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig
Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de

LINET in den sozialen Netzwerken:
www.twitter.com/linetservices | www.facebook.com/linetservices
Wissenswertes aus der IT-Welt: www.linet-services.de/blog/

Geschäftsführung: Timo Springmann, Mirko Savic und Moritz Bunkus
HR B 9170 Amtsgericht Braunschweig

USt-IdNr. DE 259 526 516

More information about the dovecot mailing list