Hello Basti. Maybe you tried LE too early when it was not universally accepted as a trusted CA ?
On Monday, February 20, 2017 2:22 PM, basti <basti@unix-solution.de> wrote:Hello, I had the same problem. LE is not in the CA list.
Best Regards,
On 17.02.2017 17:58, Bastian Sebode wrote:
Hello Folks,
my StartCom SSL-Certificate expires soon and so I wanted to switch to Let's Encrypt Certificates instead. Unfortunatelly Thunderbird seems not to like it, although all -tested- other Clients work without any problems.
When I connect with Thunderbird it sends an "Encrypted Alert" directly after the TLS handshake although Dovecot wants to continue the session.
In the Dovecot Log it says: Feb 17 17:27:17 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [82.100.242.26] Feb 17 17:27:17 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [82.100.242.26] Feb 17 17:27:17 imap-login: Warning: SSL alert: where=0x4004, ret=554: fatal bad certificate [82.100.242.26]
But the certificate is okay, cause it works with other Mailclients and openssl also says so. What certificate is Thunderbird complaining about?
Thunderbird says something like "There's no supported authentication method". I don't use any Certificates for Client Authentication, neither in Dovecot nor in Thunderbird. When I do, it fails the same way.
Weirdly my friend uses the same Dovecot Version with Let's Encrypt on his Server and it works with Thunderbird without any flaws. Mine fails the same way in his Thunderbird and also in a fresh installation.
After two weeks of investigating I still have no clue why it behaves like this.
I uploaded two Wireshark tracefiles, further logs and dovecot -n, may be someone sees any possible reasons for this weird behavior or has any further tips on solving this issue. https://sebode-online.de/dovecot-letsencrypt/
Every hint is highly appreciated!
Best Regards Bastian