Problem with Let's Encrypt Certificate

chaouche yacine yacinechaouche at yahoo.com
Fri Feb 17 21:38:29 UTC 2017


Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ?

Bastian, are you using an old version of thunderbird ? googling for "SSL alert number 42" gave me two results indicating a bug in thunderbird versions 31,32 and 33. You can check these links if you wish : 


* http://www.dovecot.org/list/dovecot/2014-July/097133.html
* http://unix.stackexchange.com/questions/123367/thunderbird-fails-to-connect-to-dovecot-and-postfix


-- Yassine




On Friday, February 17, 2017 7:29 PM, Robert L Mathews <lists at tigertech.com> wrote:



On 2/17/17 8:58 AM, Bastian Sebode wrote:


> I uploaded two Wireshark tracefiles, further logs and dovecot -n

Looking at your dovecot -n, you're using two different files here:

ssl_cert = </etc/ssl/sebode-online.de/chain.pem
ssl_key = </etc/ssl/sebode-online.de/key.pem

Are you sure these two files match, and contain the right things in the
right order?

We use a single PEM file as input for both of these parameters, and that
PEM file contains, in this order:

-----BEGIN RSA PRIVATE KEY-----
...
-----BEGIN CERTIFICATE-----
...
-----BEGIN CERTIFICATE-----

... where the first BEGIN CERTIFICATE is the specific hostname one, and
the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate
certificate that ends with "DNFu0Qg==".

You're also manually specifying these non-default parameters:

ssl_cipher_list = ...
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3

For testing, I would simplify. Does it work without any of those three
things set?

-- 
Robert L Mathews, Tiger Technologies, http://www.tigertech.net/


More information about the dovecot mailing list