failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=
What is the best way to get rid of this message? I think clients start generating after ssl crt update.
On 19/12/2024 13:59 EET Marc via dovecot <dovecot@dovecot.org> wrote:
What is the best way to get rid of this message? I think clients start generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is coming from clients telling you they don't like your certificate.
Aki
What is the best way to get rid of this message? I think clients start
generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is coming from clients telling you they don't like your certificate.
openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
What is the best way to get rid of this message? I think clients
start generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is coming from clients telling you they don't like your certificate.
openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
Even if I check on the host directly [@ certs]# openssl verify xxxxx.crt /xxxx.crt: OK
On 19/12/2024 14:25 EET Marc via dovecot <dovecot@dovecot.org> wrote:
What is the best way to get rid of this message? I think clients
start generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is coming from clients telling you they don't like your certificate.
openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
Even if I check on the host directly [@ certs]# openssl verify xxxxx.crt /xxxx.crt: OK
Well, can't really say much since you're not really providing any details.
Aki
What is the best way to get rid of this message? I think clients
start generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is coming from clients telling you they don't like your certificate.
openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
Even if I check on the host directly [@ certs]# openssl verify xxxxx.crt /xxxx.crt: OK
Well, can't really say much since you're not really providing any details.
I don't seem to get any more details with verbose_ssl=yes. How can I see what cert/ssl-config this could be? I have still some old configs, maybe some clients use that.
On 19/12/2024 13:17, Marc via dovecot wrote:
What is the best way to get rid of this message? I think clients start generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is coming from clients telling you they don't like your certificate.
openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
Even if I check on the host directly [@ certs]# openssl verify xxxxx.crt /xxxx.crt: OK
Well, can't really say much since you're not really providing any details.
I don't seem to get any more details with verbose_ssl=yes. How can I see what cert/ssl-config this could be? I have still some old configs, maybe some clients use that.
Why not just look at your ssl_cert parameter in 10-ssl.conf and then inspect the file it points to. Does it have a single certificate or more than one?
Are you expecting to need a chain/intermediate certificate?
> What is the best way to get rid of this message? I think clients start generating after ssl crt update.
This usually means you forgot to use fullchain cert. This is
from
clients telling you they don't like your certificate.
openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
Even if I check on the host directly [@ certs]# openssl verify xxxxx.crt /xxxx.crt: OK Well, can't really say much since you're not really providing any
coming details.
I don't seem to get any more details with verbose_ssl=yes. How can I see what cert/ssl-config this could be? I have still some old configs, maybe some clients use that.
Why not just look at your ssl_cert parameter in 10-ssl.conf and then inspect the file it points to. Does it have a single certificate or more than one?
I already did. Always annoying having everything in one file, and checking what you need to change. Better is to have the chain separate so you only have to update the crt file. Like eg in apache httpd.
Are you expecting to need a chain/intermediate certificate?
I am expecting nothing :) I am just removing config issues that produce error logs. Last few years clients are more picky about correct chains. As long as letsencrypt is doing most encryption, what is the point of doing encryption at all.
On 19/12/2024 14:46, Marc via dovecot wrote:
>> What is the best way to get rid of this message? I think clients start > generating after ssl crt update. > > This usually means you forgot to use fullchain cert. This is coming from > clients telling you they don't like your certificate. > openssl s_client -connect xxxxxxxxx:143 -starttls imap
this returns Verify return code: 0 (ok)
Should I test this differently?
Even if I check on the host directly [@ certs]# openssl verify xxxxx.crt /xxxx.crt: OK Well, can't really say much since you're not really providing any details.
I don't seem to get any more details with verbose_ssl=yes. How can I see what cert/ssl-config this could be? I have still some old configs, maybe some clients use that.
Why not just look at your ssl_cert parameter in 10-ssl.conf and then inspect the file it points to. Does it have a single certificate or more than one? I already did. Always annoying having everything in one file, and checking what you need to change. Better is to have the chain separate so you only have to update the crt file. Like eg in apache httpd. This behaviour is deprecated in apache.
What do you have? More than one certificate? It is safe to post the certificate file, just not the key.
Are you expecting to need a chain/intermediate certificate? I am expecting nothing :) I am just removing config issues that produce error logs. Last few years clients are more picky about correct chains. As long as letsencrypt is doing most encryption, what is the point of doing encryption at all.
Let's Encrypt does not do encryption. It does SSL certificates. Other apps such as OpenSSL then use the LE certificate for encryption.
If you are using LE certs, have you checked file and folder permissions, especially of the keys? Do you get any error or warning when you start dovecot?
It is a bit difficult as you are not really answering any questions with useful information.
participants (3)
-
Aki Tuomi
-
Marc
-
Nick Howitt