Re: How to make IMAPS SSL Cert for Dovecot that works with Thunderbird

Inline below

On 5/25/20 11:55 AM, Aki Tuomi wrote:

Sorry...

openssl x509 -text -noout -in /etc/letsencrypt/live/...../fullchain.pem subject=CN = fullHostnameWith.com on the end MUST-STAPLE <= not present nor 1.3.6....

and

openssl s_client -connect host:993 SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 ...

• OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready. ...

subject=CN = fullHostnameWith.com on the end MUST-STAPLE <= not present nor 1.3.6....

Aki

...

On 25/05/2020 18:52 hanasaki@gmail.com hanasaki@gmail.com wrote:

s_client: Option unknown option -trace

---

x509: Unknown parameter text

On 5/25/20 11:49 AM, Aki Tuomi wrote:

...

Hi!

Can you do

openssl x509 text -noout

and check these things:

your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24

Also, can you provide output of

openssl s_client -connect host:993 -trace

Aki

...

On 25/05/2020 18:46 hanasaki@gmail.com hanasaki@gmail.com wrote:

Hello Aki and all,

The below lines are in the dovecot config file. This seems to be the same as Aki's suggestion. correct? I have also double checked file perms, tried with several new key gens, several versions of thunderbird and created completely new thunderbird profiles.

Thank you,

ssl_cert =

On 5/25/20 11:11 AM, Aki Tuomi wrote:

...

The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted.

If you are using LE cert you should configure

ssl_cert=

Aki

...

On 25/05/2020 18:01 Hanasaki Jiji hanasaki@gmail.com wrote:

From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry.

Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian.

Thank you,

On Sun, May 24, 2020 at 9:29 PM Benny Pedersen me@junc.eu wrote: > > On 2020-05-25 02:54, hanasaki@gmail.com wrote: >> Config has >> ssl_verify_client_cert = no >> What options might have the client auth turned on? > > why does gmail attacht empty vcard info ? > > without any config snippes its hard to say what config error is local > > https://wiki.dovecot.org/SSL/DovecotConfiguration > > is it auth_ssl_require_client_cert = yes > > i dont use this auth features to make thunderbird work