[Dovecot] SSL cert problem

Reindl Harald h.reindl at thelounge.net
Thu Jul 11 22:23:27 EEST 2013

Am 11.07.2013 20:47, schrieb Peter von Nostrand:
> I'm running a new dovecot 2.0.9 under Centos 6.4. I'm having an issue with
> SSL certificate not being accepted by the email client.
> I have my own CA and I have generated certificates for web usage without a
> problem.
> For imaps and pop3s what I did was generate a certificate for the hostname
> of my dovecot server and then cat that cert with the intermediate and root
> CA certificates. No matter what thunderbird still complains with Unknown
> identity.

because thunderbird does not trust your own CA by default
without import it there by hand - you can not expect to
cat your CA to the cert for the server and that is enough
to get truested by the client - if so everybody would do
this to make his DNS forgery successful

please do not post debug logs anywhere without requested

> This is the log:
> Jul 11 15:38:45 imap-login: Warning: SSL: where=0x10, ret=1:
> before/accept initialization []
> Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2001, ret=1:
> before/accept initialization []
> Jul 11 15:38:45 imap-login: Warning: SSL: where=0x2002, ret=-1: SSLv2/v3
> read client hello A []

the below is clear because the client does not finish the TLS handshake

> Jul 11 15:38:45 imap-login: Info: Disconnected (no auth attempts):
> rip=, lip=, TLS: SSL_read() failed:
> error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown: SSL alert number 46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130711/bd16750f/attachment.bin>

More information about the dovecot mailing list