Recently thunderbird and Dovecot IMAPS cannot agree on SSL however
Evolution, on the exact same system, is working fine with the same
accounts. Tried recreating the Dovecot cert and also the thunderbird
accounts from scratch. The OpenSSL raw client works fine as well.
Would someone also confirm the openssl commands to create a selfsigned
cert for dovecot imaps. They cert created does work with evolution;
just not thunderbird.
Thoughts?
Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate: SSL alert number 42
Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in
0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate: SSL alert number 42, session=<-->
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
before SSL initialization
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS read client hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS write server hello
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS write change cipher spec
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
TLSv1.3 write encrypted extensions
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS write certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
TLSv1.3 write server certificate verify
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
SSLv3/TLS write finished
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
TLSv1.3 early data
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,
ret=554: fatal bad certificate
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:
error
Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate: SSL alert number 42
Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:
SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad certificate: SSL alert number 42, session=<--->
reference
You are missing intermediate certs from your certfile. Put them after cert in order towards root.