Building a new certificate as described in a previous email worked.
*Darryl Baker*
On Sun, Sep 25, 2016 at 5:19 AM, chaouche yacine <yacinechaouche@yahoo.com> wrote:
*From:* Darryl Baker <darryl.p.baker@gmail.com>
*To:* dovecot@dovecot.org *Sent:* Friday, September 23, 2016 6:07 PM *Subject:* Self-Signed Certificate issue
I keep getting what I am interpreting as a missing CA cert. The message is:
dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
That's because your client doesn't know about the certificate *issuer* so it doesn't trust it (the certificate), it's not an *authority* (the A in CA). What you need to do is include the *issuer's* certificate in your server's. But even then, the issuer was yourself, and your are not trusted either on the client's side. So what you need to do is install the root certificate in the client's machine so that certificates signed with it are trusted. When root cert is trusted on the client side, it will trust the intermediate (issuer) certificate because it was signed by it, and trust the server's certificate because it was signed by the intermediate (this is why it's called a certificate *chain* which often has only one intermediate CA although many intermediates are possible).
So it's ROOT CA CERT >>signs>> INTERMEDIATE CA CERT >>signs>> SERVER CERT