How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
Hello all,
What are the instructions for making an SSL cert for Dovecot IMAPS?
Two methods have been tried, and work, with Evolution; however generate the following error when Thunderbird tries to connect.
Thank you,
method 1 : self signed openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem
method 2 : Let's Encrypt (LE) CA Created with Certbot
ERROR TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<+oooooo>
From what I can tell, “SSL alert number 42” means that you’ve configured Dovecot to require client authentication.
Otherwise, your Let’s Encrypt certificate (with its authority chain) should suffice.
-FG
On May 24, 2020, at 5:45 PM, hanasaki@gmail.com wrote:
Hello all,
What are the instructions for making an SSL cert for Dovecot IMAPS?
Two methods have been tried, and work, with Evolution; however generate the following error when Thunderbird tries to connect.
Thank you,
method 1 : self signed openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem
method 2 : Let's Encrypt (LE) CA Created with Certbot
ERROR TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<+oooooo>
Config has ssl_verify_client_cert = no What options might have the client auth turned on?
TYIA
On 5/24/20 6:40 PM, Felipe Gasper wrote:
From what I can tell, “SSL alert number 42” means that you’ve configured Dovecot to require client authentication.
Otherwise, your Let’s Encrypt certificate (with its authority chain) should suffice.
-FG
On May 24, 2020, at 5:45 PM, hanasaki@gmail.com wrote:
Hello all,
What are the instructions for making an SSL cert for Dovecot IMAPS?
Two methods have been tried, and work, with Evolution; however generate the following error when Thunderbird tries to connect.
Thank you,
method 1 : self signed openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem
method 2 : Let's Encrypt (LE) CA Created with Certbot
ERROR TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<+oooooo>
On 2020-05-25 02:54, hanasaki@gmail.com wrote:
Config has ssl_verify_client_cert = no What options might have the client auth turned on?
why does gmail attacht empty vcard info ?
without any config snippes its hard to say what config error is local
https://wiki.dovecot.org/SSL/DovecotConfiguration
is it auth_ssl_require_client_cert = yes
i dont use this auth features to make thunderbird work
From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry.
Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian.
Thank you,
On Sun, May 24, 2020 at 9:29 PM Benny Pedersen me@junc.eu wrote:
On 2020-05-25 02:54, hanasaki@gmail.com wrote:
Config has ssl_verify_client_cert = no What options might have the client auth turned on?
why does gmail attacht empty vcard info ?
without any config snippes its hard to say what config error is local
https://wiki.dovecot.org/SSL/DovecotConfiguration
is it auth_ssl_require_client_cert = yes
i dont use this auth features to make thunderbird work
The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted.
If you are using LE cert you should configure
ssl_cert=
Aki
On 25/05/2020 18:01 Hanasaki Jiji hanasaki@gmail.com wrote:
From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry.
Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian.
Thank you,
On Sun, May 24, 2020 at 9:29 PM Benny Pedersen me@junc.eu wrote:
On 2020-05-25 02:54, hanasaki@gmail.com wrote:
Config has ssl_verify_client_cert = no What options might have the client auth turned on?
why does gmail attacht empty vcard info ?
without any config snippes its hard to say what config error is local
https://wiki.dovecot.org/SSL/DovecotConfiguration
is it auth_ssl_require_client_cert = yes
i dont use this auth features to make thunderbird work
Hello Aki and all,
The below lines are in the dovecot config file. This seems to be the same as Aki's suggestion. correct? I have also double checked file perms, tried with several new key gens, several versions of thunderbird and created completely new thunderbird profiles.
Thank you,
ssl_cert =
On 5/25/20 11:11 AM, Aki Tuomi wrote:
The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted.
If you are using LE cert you should configure
ssl_cert=
Aki
On 25/05/2020 18:01 Hanasaki Jiji hanasaki@gmail.com wrote:
From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry.
Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian.
Thank you,
On Sun, May 24, 2020 at 9:29 PM Benny Pedersen me@junc.eu wrote:
On 2020-05-25 02:54, hanasaki@gmail.com wrote:
Config has ssl_verify_client_cert = no What options might have the client auth turned on?
why does gmail attacht empty vcard info ?
without any config snippes its hard to say what config error is local
https://wiki.dovecot.org/SSL/DovecotConfiguration
is it auth_ssl_require_client_cert = yes
i dont use this auth features to make thunderbird work
Hi!
Can you do
openssl x509 text -noout
and check these things:
your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24
Also, can you provide output of
openssl s_client -connect host:993 -trace
Aki
On 25/05/2020 18:46 hanasaki@gmail.com hanasaki@gmail.com wrote:
Hello Aki and all,
The below lines are in the dovecot config file. This seems to be the same as Aki's suggestion. correct? I have also double checked file perms, tried with several new key gens, several versions of thunderbird and created completely new thunderbird profiles.
Thank you,
ssl_cert =
On 5/25/20 11:11 AM, Aki Tuomi wrote:
The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted.
If you are using LE cert you should configure
ssl_cert=
Aki
On 25/05/2020 18:01 Hanasaki Jiji hanasaki@gmail.com wrote:
From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry.
Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian.
Thank you,
On Sun, May 24, 2020 at 9:29 PM Benny Pedersen me@junc.eu wrote:
On 2020-05-25 02:54, hanasaki@gmail.com wrote:
Config has ssl_verify_client_cert = no What options might have the client auth turned on?
why does gmail attacht empty vcard info ?
without any config snippes its hard to say what config error is local
https://wiki.dovecot.org/SSL/DovecotConfiguration
is it auth_ssl_require_client_cert = yes
i dont use this auth features to make thunderbird work
s_client: Option unknown option -trace
x509: Unknown parameter text
On 5/25/20 11:49 AM, Aki Tuomi wrote:
Hi!
Can you do
openssl x509 text -noout
and check these things:
your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24
Also, can you provide output of
openssl s_client -connect host:993 -trace
Aki
On 25/05/2020 18:46 hanasaki@gmail.com hanasaki@gmail.com wrote:
Hello Aki and all,
The below lines are in the dovecot config file. This seems to be the same as Aki's suggestion. correct? I have also double checked file perms, tried with several new key gens, several versions of thunderbird and created completely new thunderbird profiles.
Thank you,
ssl_cert =
On 5/25/20 11:11 AM, Aki Tuomi wrote:
The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted.
If you are using LE cert you should configure
ssl_cert=
Aki
On 25/05/2020 18:01 Hanasaki Jiji hanasaki@gmail.com wrote:
From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry.
Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian.
Thank you,
On Sun, May 24, 2020 at 9:29 PM Benny Pedersen me@junc.eu wrote:
On 2020-05-25 02:54, hanasaki@gmail.com wrote:
Config has ssl_verify_client_cert = no What options might have the client auth turned on?
why does gmail attacht empty vcard info ?
without any config snippes its hard to say what config error is local
https://wiki.dovecot.org/SSL/DovecotConfiguration
is it auth_ssl_require_client_cert = yes
i dont use this auth features to make thunderbird work
Sorry...
openssl x509 -text -noout -in /etc/letsencrypt/live/...../fullchain.pem
and
openssl s_client -connect host:993
Aki
On 25/05/2020 18:52 hanasaki@gmail.com hanasaki@gmail.com wrote:
s_client: Option unknown option -trace
x509: Unknown parameter text
On 5/25/20 11:49 AM, Aki Tuomi wrote:
Hi!
Can you do
openssl x509 text -noout
and check these things:
your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24
Also, can you provide output of
openssl s_client -connect host:993 -trace
Aki
On 25/05/2020 18:46 hanasaki@gmail.com hanasaki@gmail.com wrote:
Hello Aki and all,
The below lines are in the dovecot config file. This seems to be the same as Aki's suggestion. correct? I have also double checked file perms, tried with several new key gens, several versions of thunderbird and created completely new thunderbird profiles.
Thank you,
ssl_cert =
On 5/25/20 11:11 AM, Aki Tuomi wrote:
The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted.
If you are using LE cert you should configure
ssl_cert=
Aki
On 25/05/2020 18:01 Hanasaki Jiji hanasaki@gmail.com wrote:
From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry.
Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian.
Thank you,
On Sun, May 24, 2020 at 9:29 PM Benny Pedersen me@junc.eu wrote:
On 2020-05-25 02:54, hanasaki@gmail.com wrote: > Config has > ssl_verify_client_cert = no > What options might have the client auth turned on?
why does gmail attacht empty vcard info ?
without any config snippes its hard to say what config error is local
https://wiki.dovecot.org/SSL/DovecotConfiguration
is it auth_ssl_require_client_cert = yes
i dont use this auth features to make thunderbird work
Inline below
On 5/25/20 11:55 AM, Aki Tuomi wrote:
Sorry...
openssl x509 -text -noout -in /etc/letsencrypt/live/...../fullchain.pem subject=CN = fullHostnameWith.com on the end MUST-STAPLE <= not present nor 1.3.6....
and
openssl s_client -connect host:993 SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 ...
- OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready. ...
subject=CN = fullHostnameWith.com on the end MUST-STAPLE <= not present nor 1.3.6....
Aki
On 25/05/2020 18:52 hanasaki@gmail.com hanasaki@gmail.com wrote:
s_client: Option unknown option -trace
x509: Unknown parameter text
On 5/25/20 11:49 AM, Aki Tuomi wrote:
Hi!
Can you do
openssl x509 text -noout
and check these things:
your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24
Also, can you provide output of
openssl s_client -connect host:993 -trace
Aki
On 25/05/2020 18:46 hanasaki@gmail.com hanasaki@gmail.com wrote:
Hello Aki and all,
The below lines are in the dovecot config file. This seems to be the same as Aki's suggestion. correct? I have also double checked file perms, tried with several new key gens, several versions of thunderbird and created completely new thunderbird profiles.
Thank you,
ssl_cert =
On 5/25/20 11:11 AM, Aki Tuomi wrote:
The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted.
If you are using LE cert you should configure
ssl_cert=
Aki
On 25/05/2020 18:01 Hanasaki Jiji hanasaki@gmail.com wrote:
From the config : auth_ssl_require_client_cert = no GMail empty vcard ... I have no ideas . so sorry.
Coding snippets. What can I provide for you that will help? NOTE: it is pretty much the default config from Debian.
Thank you,
On Sun, May 24, 2020 at 9:29 PM Benny Pedersen me@junc.eu wrote: > > On 2020-05-25 02:54, hanasaki@gmail.com wrote: >> Config has >> ssl_verify_client_cert = no >> What options might have the client auth turned on? > > why does gmail attacht empty vcard info ? > > without any config snippes its hard to say what config error is local > > https://wiki.dovecot.org/SSL/DovecotConfiguration > > is it auth_ssl_require_client_cert = yes > > i dont use this auth features to make thunderbird work
participants (5)
-
Aki Tuomi
-
Benny Pedersen
-
Felipe Gasper
-
Hanasaki Jiji
-
hanasaki@gmail.com