I see. You need to import the cert into thundebird's trusted ca certs.
Hello,
This is a selfsigned cert. Both of the below methods were used.
May I ask for 1. pointer to info setting up "intermediate certs" and
where the certfile goes?
The objective is to generate a self-signed cert and use it for just
internal use with IMAPS dovecot.
Separately, what are your thoughts as to why evolution works and
thunderbird does not?
Thank you,
==1
openssl genrsa -out key.pem 2048
openssl req -new -sha512 -key key.pem -out csr.csr
openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out
certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo
==2
openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout
mykey.key -out mycert.pem
On 4/30/20 8:11 AM, Aki Tuomi wrote:
>>
>> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however
>> Evolution, on the exact same system, is working fine with the same
>> accounts. Tried recreating the Dovecot cert and also the thunderbird
>> accounts from scratch. The OpenSSL raw client works fine as well.
>>
>> Would someone also confirm the openssl commands to create a selfsigned
>> cert for dovecot imaps. They cert created does work with evolution;
>> just not thunderbird.
>>
>> Thoughts?
>>
>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42
>> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in
>> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42, session=<-->
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS read client hello
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write server hello
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write change cipher spec
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 write encrypted extensions
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write certificate
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 write server certificate verify
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write finished
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,
>> ret=554: fatal bad certificate
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
>> error
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42
>> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth
>> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:
>> SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
>> alert bad certificate: SSL alert number 42, session=<--->
>>
>> reference
You are missing intermediate certs from your certfile. Put them after
cert in order towards root.
---
Aki Tuomi