Self-Signed Certificate issue
My apologies if this is a repeat but my search of the archive did not turn it up in the recent past. If this has been covered just point me at the previous thread, please.
I am running a small email site which I am moving from uw-imapd and Solaris to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed certificate for this site. I am using Thunderbird as the test client. I've tried both the pre-built snakeoil certificate and building a special one for dovecot. In /var/log/mail.err I keep getting what I am interpreting as a missing CA cert. The message is:
dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
The certificate was created by:
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem
The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS current patches.
*Darryl Baker*
From: Darryl Baker <darryl.p.baker@gmail.com>
To: dovecot@dovecot.org Sent: Friday, September 23, 2016 6:07 PM Subject: Self-Signed Certificate issue
I keep getting what I am interpreting as a missing CA cert. The message is:
dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
That's because your client doesn't know about the certificate *issuer* so it doesn't trust it (the certificate), it's not an *authority* (the A in CA). What you need to do is include the *issuer's* certificate in your server's. But even then, the issuer was yourself, and your are not trusted either on the client's side. So what you need to do is install the root certificate in the client's machine so that certificates signed with it are trusted. When root cert is trusted on the client side, it will trust the intermediate (issuer) certificate because it was signed by it, and trust the server's certificate because it was signed by the intermediate (this is why it's called a certificate *chain* which often has only one intermediate CA although many intermediates are possible). So it's ROOT CA CERT >>signs>> INTERMEDIATE CA CERT >>signs>> SERVER CERT
Building a new certificate as described in a previous email worked.
*Darryl Baker*
On Sun, Sep 25, 2016 at 5:19 AM, chaouche yacine <yacinechaouche@yahoo.com> wrote:
*From:* Darryl Baker <darryl.p.baker@gmail.com>
*To:* dovecot@dovecot.org *Sent:* Friday, September 23, 2016 6:07 PM *Subject:* Self-Signed Certificate issue
I keep getting what I am interpreting as a missing CA cert. The message is:
dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
That's because your client doesn't know about the certificate *issuer* so it doesn't trust it (the certificate), it's not an *authority* (the A in CA). What you need to do is include the *issuer's* certificate in your server's. But even then, the issuer was yourself, and your are not trusted either on the client's side. So what you need to do is install the root certificate in the client's machine so that certificates signed with it are trusted. When root cert is trusted on the client side, it will trust the intermediate (issuer) certificate because it was signed by it, and trust the server's certificate because it was signed by the intermediate (this is why it's called a certificate *chain* which often has only one intermediate CA although many intermediates are possible).
So it's ROOT CA CERT >>signs>> INTERMEDIATE CA CERT >>signs>> SERVER CERT
On 24/09/16 03:07, Darryl Baker wrote:
I am running a small email site which I am moving from uw-imapd and Solaris to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed certificate for this site. I am using Thunderbird as the test client. I've tried both the pre-built snakeoil certificate and building a special one for dovecot. In /var/log/mail.err I keep getting what I am interpreting as a missing CA cert. The message is:
Why? You can get a "proper" certificate with Letsencrypt and never have to worry about all the issues with self-signed certificates ever again!
Kind Regards AndrewM
participants (3)
-
Andrew McGlashan
-
chaouche yacine
-
Darryl Baker