error 42 ssl certificate expired

Aki Tuomi aki.tuomi at open-xchange.com
Mon Apr 12 17:59:28 EEST 2021


> On 12/04/2021 17:13 Christopher Wensink <cwensink at five-star-plastics.com> wrote:
> 
>  
> Dovecot Team,
> 
> I need a little help.  I came in this morning and it seems like the SSL 
> Certificates expired for dovecot (on an internal mail server) and nobody 
> can move email into  their folders on this server.  In Thunderbird they 
> just see in the status bar:  HISTORY: checking mail server capabilities...
> 
> In /var/log/maillog:
> --------
> Apr 12 09:02:26 mario2 dovecot: imap-login: Disconnected (no auth 
> attempts in 0 secs): user=<>, rip=10.5.1.85, lip=10.5.1.17, TLS: 
> SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 
> alert bad certificate: SSL alert number 42, session=<H5iu9sa/Me0KBQFV>
> 
> I have tried:
> 
> -Restarting Dovecot
> -Restarting the whole mail server
> -Re-creating the .pem files, first moving the old files in 
> /etc/pki/dovecot/certs and /etc/pki/dovecot/private from dovecot.pem to 
> dovecot-old.pem,
>    - Re-creating a new dovecot.pem using the mkcert.sh script in the doc 
> folder in /usr/share/doc/dovecot-2.2.36/,
>    - restarting dovecot
>    - changing the cert values in dovecot-openssl.cnf
> 
> I also tried creating new .crt and key files using this tutorial: 
> https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/ 
> 
> 
> I need some assistance, thank you for your help.
> 
> Chris

Please use real certs if possible. Otherwise you need to install the used CA certificate, or the self-signed certificate, to all the clients. Or reset the exception there, and then tell all your users to redo the exception. Using real certs is easier.

Aki


More information about the dovecot mailing list