Problem with Let's Encrypt Certificate

Bastian Sebode b.sebode at linet-services.de
Fri Feb 17 21:57:27 UTC 2017


Hey.

Thanks again for your help. I took the "dovecot -n" while the StartSSL
Certificate was active, so the chain.pem was correct.

Finally I found the issue! :-) But I still have no idea why the problem
happens with Thunderbird.

I used dehydrated to fetch the certificates from Let's Encrypt and as I
said, it works for most clients pretty well. (Tried: Mulberry, Claws
Mail, Outlook 2010, Android (HTC), iPhone, ...) Also it works perfectly
with all my HTTPS-Services

Whatever, Thunderbird didn't like that cert saying "bad certificate"
(SSL Alert 42).

Now I fetched the cert with Certbot and it works. Really strange though!

I checked for any obvious differences between the certificates and
private keys, but couldn't find any.

So my solution will be to use certbot instead of dehydrated... :-/

Worst thing is, that a Microsoft Blog article
(https://blogs.msdn.microsoft.com/kaushal/2012/10/05/ssltls-alert-protocol-the-alert-codes/)
led me to the right direction.... ;-)
--
42	bad_certificate	"There is a problem with the certificate, for
example, a certificate is corrupt, or a certificate contains signatures
that cannot be verified."
--

Peace
Bastian

Am 17.02.2017 um 21:58 schrieb Aki Tuomi:
> Usually with LE, the filename is fullchain.pem, not chain.pem.
> 
> Can you please doublecheck this?
> 
> Also, try
> 
> openssl s_client -connect hostname:143 -starttls imap
> 
> Aki
> 
>> On February 17, 2017 at 10:31 PM Bastian Sebode <b.sebode at linet-services.de> wrote:
>>
>>
>> Hey Robert,
>>
>> thanks for your reply.
>>
>> Am 17.02.2017 um 19:28 schrieb Robert L Mathews:
>>> Looking at your dovecot -n, you're using two different files here:
>>>
>>> ssl_cert = </etc/ssl/sebode-online.de/chain.pem
>>> ssl_key = </etc/ssl/sebode-online.de/key.pem
>>>
>>> Are you sure these two files match, and contain the right things in the
>>> right order?
>>>
>> Yes, unfortunately I'm sure that everything has the right order. As you
>> can see in the trace, both certificates (mine and the intermediate) get
>> transferred to the client on connection.
>>
>>> We use a single PEM file as input for both of these parameters, and that
>>> PEM file contains, in this order:
>>>
>>> -----BEGIN RSA PRIVATE KEY-----
>>> ...
>>> -----BEGIN CERTIFICATE-----
>>> ...
>>> -----BEGIN CERTIFICATE-----
>>>
>>> ... where the first BEGIN CERTIFICATE is the specific hostname one, and
>>> the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate
>>> certificate that ends with "DNFu0Qg==".
>>>
>> Tried that, but without success. But your usage doesn't seem right to
>> me. The parameters are not called ssl_cert and ssl_key for nothing. ;-)
>> Normally you don't want your private key to have any other permissions
>> than 600.
>>
>>> You're also manually specifying these non-default parameters:
>>>
>>> ssl_cipher_list = ...
>>> ssl_prefer_server_ciphers = yes
>>> ssl_protocols = !SSLv2 !SSLv3
>>>
>>> For testing, I would simplify. Does it work without any of those three
>>> things set?
>>>
>> Tried this before. I set all SSL specific settings exactly like my
>> friend where it works without a problem. But it doesn't work for me.
>>
>> Thanks anyway for your effort!
>> Bastian
>> -- 
>> Bastian Sebode
>> Fachinformatiker Systemintegration
>>
>> LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig
>> Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de
>>
>> LINET in den sozialen Netzwerken:
>> www.twitter.com/linetservices | www.facebook.com/linetservices
>> Wissenswertes aus der IT-Welt: www.linet-services.de/blog/
>>
>> Geschäftsführung: Timo Springmann, Mirko Savic und Moritz Bunkus
>> HR B 9170 Amtsgericht Braunschweig
>>
>> USt-IdNr. DE 259 526 516

-- 
Bastian Sebode
Fachinformatiker Systemintegration

LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig
Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de

LINET in den sozialen Netzwerken:
www.twitter.com/linetservices | www.facebook.com/linetservices
Wissenswertes aus der IT-Welt: www.linet-services.de/blog/

Geschäftsführung: Timo Springmann, Mirko Savic und Moritz Bunkus
HR B 9170 Amtsgericht Braunschweig

USt-IdNr. DE 259 526 516


More information about the dovecot mailing list