error 42 ssl certificate expired

Christopher Wensink cwensink at five-star-plastics.com
Mon Apr 12 22:28:32 EEST 2021 

I confirm that the solution in Thunderbird, was they had to click on the 
account's inbox, then click get messages, then click the confirm 
security exception button on the server identity pop-up, and that fixes 
the issue.  I could see that under Tools > Options > Certificates for 
the server section had a self-signed certificate which is active for 1 
year, so once the new cert is generated then everyone has to just 
confirm the exception of the new self-signed certificate.  It's an easy 
fix once you know the solution.

Thanks for your help Aki.

In our case this is an internally used Dovecot Mail server that's used 
for mail storage only, not for sending out new email and it's not the 
default email account to receive new messages.  The server never touches 
the public internet, only inside the LAN traffic.  In this situation are 
CA authority certificates worth the expense? Just curious on what 
everyone's opinion is of Digital Certs signed by certificate authorities 
that are only used inside the LAN. Thoughts?

On 4/12/2021 9:59 AM, Aki Tuomi wrote:
>> On 12/04/2021 17:13 Christopher Wensink <cwensink at five-star-plastics.com> wrote:
>>
>>   
>> Dovecot Team,
>>
>> I need a little help.  I came in this morning and it seems like the SSL
>> Certificates expired for dovecot (on an internal mail server) and nobody
>> can move email into  their folders on this server.  In Thunderbird they
>> just see in the status bar:  HISTORY: checking mail server capabilities...
>>
>> In /var/log/maillog:
>> --------
>> Apr 12 09:02:26 mario2 dovecot: imap-login: Disconnected (no auth
>> attempts in 0 secs): user=<>, rip=10.5.1.85, lip=10.5.1.17, TLS:
>> SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
>> alert bad certificate: SSL alert number 42, session=<H5iu9sa/Me0KBQFV>
>>
>> I have tried:
>>
>> -Restarting Dovecot
>> -Restarting the whole mail server
>> -Re-creating the .pem files, first moving the old files in
>> /etc/pki/dovecot/certs and /etc/pki/dovecot/private from dovecot.pem to
>> dovecot-old.pem,
>>     - Re-creating a new dovecot.pem using the mkcert.sh script in the doc
>> folder in /usr/share/doc/dovecot-2.2.36/,
>>     - restarting dovecot
>>     - changing the cert values in dovecot-openssl.cnf
>>
>> I also tried creating new .crt and key files using this tutorial:
>> https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
>>
>>
>> I need some assistance, thank you for your help.
>>
>> Chris
> Please use real certs if possible. Otherwise you need to install the used CA certificate, or the self-signed certificate, to all the clients. Or reset the exception there, and then tell all your users to redo the exception. Using real certs is easier.
>
> Aki
>

-- 
Christopher Wensink
IS Administrator
Five Star Plastics, Inc
1339 Continental Drive
Eau Claire, WI 54701
Office:  715-831-1682
Mobile:  715-563-3112
Fax:  715-831-6075
cwensink at five-star-plastics.com
www.five-star-plastics.com

More information about the dovecot mailing list