You'd need to include alot more information if you're looking for resolution.


  1. How are you renewing your certs. Are you re-keying when you renew?
  2. What is your ssl_cert? Is it a single cert or a chain?

I'd set ssl_min_protocol = TLSv1.1 at the very least, probably TLSv1.2 if your users clients can handle it


If you're looking for pointers, I'd try googling the errors.

https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s/806175
https://community.letsencrypt.org/t/mobile-clients-ssl-alert-number-46/124608/4


On 9/7/21 2:24 PM, Marc wrote:

nothing comenting about more knowledgable, but ssl3 nobody uses. it is even adviced not to use tls 1.1 and below


Separate subject, but couldn't help but notice, SSL3 is being used?
Wasn't SSL3 retired because of POODLE exploits? Can someone more
knowledgeable confirm?


On 9/7/21 11:05, Steve Dondley wrote:


	On 2021-09-07 01:25 PM, Amol Kulkarni wrote:

		Hello,


		After I replaced my certificate with a new one yesterday, I'm
seeing some ssl related errors. There are successful pop/imap logins
using SSL also. So I think the certificate in itself is fine. No user
has complained as yet, so I don't know for sure. However the count of
errors has surely increased after installing the new certificate.
		There are 2 errors seen :
		dovecot: imap-login: Disconnected (no auth attempts in 1
secs): user=<>, rip=, lip
		=, TLS handshaking: SSL_accept() failed: error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert
number 46, session=<9m0AnVnL
		2pHf4hso>


		dovecot: imap-login: Disconnected (no auth attempts in 0
secs): user=<>, rip=, lip
		=, TLS: SSL_read() failed: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number
42, session=<ww/b6VfLmeR7yTog>

		Kindly help with some pointers.

		Thanks and Regards,
		Amol

	I assume you tried restarting dovecot, but just in case...

    
-- 
Ben Burk
BURK.TECH System Administrator