[Dovecot] Changing SSL certificates - switching from self-signed to RapidSSL
Reindl Harald
h.reindl at thelounge.net
Sat Apr 19 07:02:37 UTC 2014
Am 19.04.2014 03:29, schrieb Joseph Tam:
> Charles Marcus <CMarcus at Media-Brokers.com> wrote:
>
>> 2014-04-18T15:54:07-04:00 dinkumthinkum dovecot: imap-login:
>> Disconnected (no auth attempts in 0 secs): user=<>, TLS handshaking:
>> SSL_accept() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
>> alert bad certificate: SSL alert number 42, rip=99.14.24.224, lport=143
>>
>> Not a huge number, but enough to be concerning...
>>
>> Could this just be from cached junk from some clients, and they will
>> resolve themselves over time?
>
> Short answer: maybe. I got these errors when I switched from a self-signed
> to CA signed cert, and the client had an open mail session:
>
> Feb 22 02:10:32 imap-login: Disconnected (no auth attempts in 0
> secs): user=<>, rip=x.x.x.x, lip=y.y.y.y, TLS: SSL_read() failed:
> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
> ca: SSL alert number 48, session=<w4Lm8vvypgCJUgmg>
>
> Not quite the same as your's, but if you call the client up and ask them
> to restart their mail client, I'm fairly confident these will go away,
> as for my user.
>
> You might get some weirdness if for some reason the client does not have
> the intermediate CAs cached. I ran into this problem with our certs --
> some RH distributions did have the intermediate CA certs in its store.
you only need to read the documentation, any CA these days
has intermediate certs (Thawte, GoDaddy....) and for any
service (dovecot, postfix, httpd...) you have to use the
config parameter *OR* "cat your.crt chain.crt > new.crt"
http://wiki2.dovecot.org/SSL/DovecotConfiguration
Chained SSL certificates
Put all the certificates in the ssl_cert file. For example when
using a certificate signed by TDC the correct order is:
Dovecot's public certificate
TDC SSL Server CA
TDC Internet Root CA
Globalsign Partners CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20140419/33789b95/attachment-0001.sig>
More information about the dovecot
mailing list