On 19/12/2024 13:17, Marc via dovecot wrote:
What is the best way to get rid of this message? I think clients start generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is coming from clients telling you they don't like your certificate.
openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
Even if I check on the host directly [@ certs]# openssl verify xxxxx.crt /xxxx.crt: OK
Well, can't really say much since you're not really providing any details.
I don't seem to get any more details with verbose_ssl=yes. How can I see what cert/ssl-config this could be? I have still some old configs, maybe some clients use that.
Why not just look at your ssl_cert parameter in 10-ssl.conf and then inspect the file it points to. Does it have a single certificate or more than one?
Are you expecting to need a chain/intermediate certificate?