This is a followup to my thread "Recommended Protocols?".
The error message is as follows: dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
I have selected both SSL/TLS and STARTTLS on the Thunderbird side, with identical results.
The first question that I have is this. Is there any way to know whether that error messages comes from an attempt to read:
(a) The server SSL certificate? (b) The client SSL certificate?
Please find attached 2 log files. I am essentially using the distribution files as they come from the box.
TIA
On 10/11/2020 19:17 Raymond Herrera raymond@forcewise.com wrote:
This is a followup to my thread "Recommended Protocols?". The error message is as follows: dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
I have selected both SSL/TLS and STARTTLS on the Thunderbird side, with identical results.
The first question that I have is this. Is there any way to know whether that error messages comes from an attempt to read:
(a) The server SSL certificate? (b) The client SSL certificate? Please find attached 2 log files. I am essentially using the distribution files as they come from the box.
TIA
While bit confusing, this actually means the client did not trust the server certificate. Usually because you forgot the chain certs from the cert file.
Aki
That is good to know. I was working on the wrong assumption, attempting to create a client certificate on the Windows/Thunderbird side.
I am using the SSL Certificate that comes with the distribution, so the conclusion is Thunderbird does not trust it.
I have this in my notes from ages ago, for generating my own self-signed certificate:
% openssl req -x509 -newkey rsa:4096 -sha256 -keyout openssl.key -out openssl.crt -days 600 -config san.cnf
See attached the 2 errors that I am getting, one is from the distribution cert.
Can a kind soul tell me the current way to do this in Linux?
Perhaps I should use a free service? Which?
TIA
Raymond
On 11/10/2020 2:20 PM, Aki Tuomi wrote:
On 10/11/2020 19:17 Raymond Herreraraymond@forcewise.com wrote:
This is a followup to my thread "Recommended Protocols?". The error message is as follows: dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
I have selected both SSL/TLS and STARTTLS on the Thunderbird side, with identical results.
The first question that I have is this. Is there any way to know whether that error messages comes from an attempt to read:
(a) The server SSL certificate? (b) The client SSL certificate? Please find attached 2 log files. I am essentially using the distribution files as they come from the box.
TIA
While bit confusing, this actually means the client did not trust the server certificate. Usually because you forgot the chain certs from the cert file.
Aki
LetsEncrypt is not the worst.
On 10/11/2020 23:02 Raymond Herrera raymond@forcewise.com wrote:
That is good to know. I was working on the wrong assumption, attempting to create a client certificate on the Windows/Thunderbird side. I am using the SSL Certificate that comes with the distribution, so the conclusion is Thunderbird does not trust it. I have this in my notes from ages ago, for generating my own self-signed certificate: % openssl req -x509 -newkey rsa:4096 -sha256 -keyout openssl.key -out openssl.crt -days 600 -config san.cnf See attached the 2 errors that I am getting, one is from the distribution cert.
Can a kind soul tell me the current way to do this in Linux? Perhaps I should use a free service? Which?
TIA
Raymond
On 11/10/2020 2:20 PM, Aki Tuomi wrote:
On 10/11/2020 19:17 Raymond Herrera raymond@forcewise.com wrote:
This is a followup to my thread "Recommended Protocols?". The error message is as follows: dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
I have selected both SSL/TLS and STARTTLS on the Thunderbird side, with identical results.
The first question that I have is this. Is there any way to know whether that error messages comes from an attempt to read:
(a) The server SSL certificate? (b) The client SSL certificate? Please find attached 2 log files. I am essentially using the distribution files as they come from the box.
TIA
While bit confusing, this actually means the client did not trust the server certificate. Usually because you forgot the chain certs from the cert file.
Aki
Citeren Raymond Herrera raymond@forcewise.com:
That is good to know. I was working on the wrong assumption,
attempting to create a client certificate on the Windows/Thunderbird
side.I am using the SSL Certificate that comes with the distribution, so
the conclusion is Thunderbird does not trust it.I have this in my notes from ages ago, for generating my own
self-signed certificate:% openssl req -x509 -newkey rsa:4096 -sha256 -keyout openssl.key
-out openssl.crt -days 600 -config san.cnfSee attached the 2 errors that I am getting, one is from the
distribution cert.
I recommend you stay clear of self-signed certificates if the number
of users is greater than one, unless there is a very specific need to
use them. Setting up multiple systems to trust your self-signed
certificate is no fun when you need to aid people in setting up their
systems to trust it.
Can a kind soul tell me the current way to do this in Linux?
Perhaps I should use a free service? Which?
In most cases, Letsencrypt will work just fine. Do remember to setup
auto renewal for your certificate(s) and make sure you trigger your
systems to reload them upon renewal. You wouldn't be the first to
forget about the latter.
TIA
Raymond
This is what I did. I obtained a certificate from this site:
They provided 3 files: certificate.crt private.key
which make perfect sense as replacement for the 2 files provided by the distribution. I am guessing that I need somehow to append the 3rd file (ca_bundle.crt) to the first one? In order to raise its credibility?
TIA
On 11/10/2020 2:20 PM, Aki Tuomi wrote:
On 10/11/2020 19:17 Raymond Herrera raymond@forcewise.com wrote:
This is a followup to my thread "Recommended Protocols?". The error message is as follows: dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
I have selected both SSL/TLS and STARTTLS on the Thunderbird side, with identical results.
The first question that I have is this. Is there any way to know whether that error messages comes from an attempt to read:
(a) The server SSL certificate? (b) The client SSL certificate? Please find attached 2 log files. I am essentially using the distribution files as they come from the box.
TIA
While bit confusing, this actually means the client did not trust the server certificate. Usually because you forgot the chain certs from the cert file.
Aki
I found out that the concatenation is simply text based here:
And am making progress. This is the latest error message:
"dovecot: imap-login: TLS: SSL_read() failed: error:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48"
It seems that I need a cert with a better reputation?
I should follow Arjen's advice:
In most cases, Letsencrypt will work just fine.
Either that, or fork a few bucks for a commercial SSL Certificate.
Raymond
On 11/10/2020 4:12 PM, Raymond Herrera wrote:
This is what I did. I obtained a certificate from this site:
They provided 3 files: certificate.crt private.key
which make perfect sense as replacement for the 2 files provided by the distribution. I am guessing that I need somehow to append the 3rd file (ca_bundle.crt) to the first one? In order to raise its credibility?
TIA
On 11/10/2020 2:20 PM, Aki Tuomi wrote:
On 10/11/2020 19:17 Raymond Herreraraymond@forcewise.com wrote:
This is a followup to my thread "Recommended Protocols?". The error message is as follows: dovecot: imap-login: Disconnected: TLS: SSL_read() failed: SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42
I have selected both SSL/TLS and STARTTLS on the Thunderbird side, with identical results.
The first question that I have is this. Is there any way to know whether that error messages comes from an attempt to read:
(a) The server SSL certificate? (b) The client SSL certificate? Please find attached 2 log files. I am essentially using the distribution files as they come from the box.
TIA
While bit confusing, this actually means the client did not trust the server certificate. Usually because you forgot the chain certs from the cert file.
Aki
participants (3)
-
Aki Tuomi
-
Arjen de Korte
-
Raymond Herrera