Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ?
Bastian, are you using an old version of thunderbird ? googling for "SSL alert number 42" gave me two results indicating a bug in thunderbird versions 31,32 and 33. You can check these links if you wish :
- http://www.dovecot.org/list/dovecot/2014-July/097133.html
- http://unix.stackexchange.com/questions/123367/thunderbird-fails-to-connect-...
-- Yassine
On Friday, February 17, 2017 7:29 PM, Robert L Mathews <lists@tigertech.com> wrote:
On 2/17/17 8:58 AM, Bastian Sebode wrote:
I uploaded two Wireshark tracefiles, further logs and dovecot -n
Looking at your dovecot -n, you're using two different files here:
ssl_cert = </etc/ssl/sebode-online.de/chain.pem ssl_key = </etc/ssl/sebode-online.de/key.pem
Are you sure these two files match, and contain the right things in the right order?
We use a single PEM file as input for both of these parameters, and that PEM file contains, in this order:
-----BEGIN RSA PRIVATE KEY----- ... -----BEGIN CERTIFICATE----- ... -----BEGIN CERTIFICATE-----
... where the first BEGIN CERTIFICATE is the specific hostname one, and the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate certificate that ends with "DNFu0Qg==".
You're also manually specifying these non-default parameters:
ssl_cipher_list = ... ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3
For testing, I would simplify. Does it work without any of those three things set?
-- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/