You'd need to include alot more information if you're looking for resolution.
- How are you renewing your certs. Are you re-keying when you renew?
- What is your ssl_cert? Is it a single cert or a chain?
I'd set ssl_min_protocol = TLSv1.1 at the very least, probably TLSv1.2 if your users clients can handle it
If you're looking for pointers, I'd try googling the errors.
https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-a... https://community.letsencrypt.org/t/mobile-clients-ssl-alert-number-46/12460...
On 9/7/21 2:24 PM, Marc wrote:
nothing comenting about more knowledgable, but ssl3 nobody uses. it is even adviced not to use tls 1.1 and below
Separate subject, but couldn't help but notice, SSL3 is being used? Wasn't SSL3 retired because of POODLE exploits? Can someone more knowledgeable confirm?
On 9/7/21 11:05, Steve Dondley wrote:
On 2021-09-07 01:25 PM, Amol Kulkarni wrote:
Hello, After I replaced my certificate with a new one yesterday, I'm
seeing some ssl related errors. There are successful pop/imap logins using SSL also. So I think the certificate in itself is fine. No user has complained as yet, so I don't know for sure. However the count of errors has surely increased after installing the new certificate. There are 2 errors seen : dovecot: imap-login: Disconnected (no auth attempts in 1 secs): user=<>, rip=, lip =, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46, session=<9m0AnVnL 2pHf4hso>
dovecot: imap-login: Disconnected (no auth attempts in 0
secs): user=<>, rip=, lip =, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42, session=<ww/b6VfLmeR7yTog>
Kindly help with some pointers. Thanks and Regards, Amol
I assume you tried restarting dovecot, but just in case...
-- Ben Burk BURK.TECH System Administrator