tlsv1 alert unknown ca: SSL alert number 48

Tobias lists.zxinn at otaking.se
Sat Jun 18 06:36:43 UTC 2016 

What does openssl say when you connect to your dovecot server?

openssl s_client -starttls imap -connect <ip>:143

With my previous setup (Roundcube 1.1.3; PHP 5.6) I was successfully 
using only "verify_peer" and "verify_peer_name", both set to false, when 
connecting to a very old Courier-IMAP server using a self-signed 
certificate.

E.g.

$config['default_host'] = array(
   'tls://<ip>:143'    => 'implicit STARTTLS',
   'ssl://<ip>:993' => 'explicit SSL',
);
$config['imap_conn_options'] = array(
   'ssl'         => array(
     'verify_peer'  => false,
     'verify_peer_name' => false,
    ),
);


/Tobias

On 2016-06-18 13:34, Gedalya wrote:
> What version of Roundcube are you using?
> 
> On 06/17/2016 04:14 PM, Maurizio Dall'Acqua wrote:
>> I have tried all the suggestions up till now but the error message is 
>> still
>> there.
>> 
>> I have tried this configuaration for roundcube:
>> 
>>  $config['imap_conn_options'] = array(
>>    'ssl' => array(
>>      'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>',
>>      'verify_peer' => true,
>>      'verify_depth' => 3,
>> //   'cafile' => '/dont/need/to/set/this/option',
>>    ),
>>  );
>> 
>> and this one:
>> 
>>  $config['imap_conn_options'] = array(
>>    'ssl' => array(
>>      'verify_peer' => false,
>>      'verify_peer_name' => false,
>>    ),
>>  );
>> 
>> and this one too:
>> 
>> $config['imap_conn_options'] = array(
>>   'ssl'         => array(
>>   'verify_peer'  => true,
>>   'verify_depth' => 3,
>>   'cafile'       => '/path/to/my/self/signed/certificate.pem',
>>    ),
>>  );
>> 
>> I'm at a loss :-(
>> 
>> 
>> 
>> 
>> 
>> On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote:
>>> Solution: Set 'peer_name' in the SSL stream context to the FQDN of 
>>> the
>>> server certificate(s):
>>> 
>>> // IMAP socket context options
>>> // See http://php.net/manual/en/context.ssl.php
>>> $config['imap_conn_options'] = array(
>>>   'ssl' => array(
>>>     'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>',
>>>     'verify_peer' => true,
>>>     'verify_depth' => 3,
>>>     #'cafile' => '/dont/need/to/set/this/option',
>>>   ),
>>> );
>>> 
>>> // SMTP socket context options
>>> // See http://php.net/manual/en/context.ssl.php
>>> $config['smtp_conn_options'] = array(
>>>   'ssl' => array(
>>>     'peer_name' => '<FQDN_OF_POSTFIX_CERTIFICATE>',
>>>     'verify_peer' => true,
>>>     'verify_depth' => 3,
>>>     #'cafile' => '/dont/need/to/set/this/option',
>>>   ),
>>> );
>>> 
>>> Works for me.
>>> 
>>> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote:
>>>> I think that you are right when you say that the problem may be the
>>>> certificate recognition.
>>>> 
>>>> As for Roundcube, I've inserted the uncommented php code that you 
>>>> provided
>>>> in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian 
>>>> file for
>>>> /config/defaults.inc.php. Unfortunately Roundcube doesn't login and
>>>> replies
>>>> with the message "connection to storage server failed". And the log 
>>>> file
>>>> of dovecot gives the reason: unknown certificate.
>>>> 
>>>> In order to solve this problem do you think that I should look into 
>>>> the
>>>> configuration file of Squirrelmail/Roundcube or in the config file 
>>>> of
>>>> Dovecot?
>>>> 
>>>> 
>>>> On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote:
>>>>> On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> I have set up a mail server with postfix+dovecot 2.2.13 on my 
>>>>>> raspberry pi
>>>>>> running Raspbian Jassie OS.
>>>>>> 
>>>>>> Now I would like to add an on-line e-mail client like Squirrelmail 
>>>>>> or
>>>>>> Roundcube. I was able to start up these two clients but when I try 
>>>>>> to login
>>>>>> I get this error message in the dovecot log:
>>>>>> 
>>>>>> tlsv1 alert unknown ca: SSL alert number 48
>>>>>> 
>>>>>> But I have inserted the self-signed certificate and key in
>>>>>> /etc/dovecot/conf.d/10-master.conf
>>>>>> 
>>>>>> Moreover, I can send and receive e-mails from/to my server, and I 
>>>>>> can login
>>>>>> successfully to dovecot IMAP with Thunderbird.
>>>>>> 
>>>>>> Can somebody give me a clue on how to solve this problem? Any help 
>>>>>> would me much
>>>>>> appreciated.
>>>>>> 
>>>>>> Regards,
>>>>>> Maurizio
>>>>> This could mean that the client has indicated it was unable to 
>>>>> verify
>>>>> the server's certificate.
>>>>> 
>>>>> With regards to Roundcube, see this in config/defaults.inc.php:
>>>>> 
>>>>> //$config['imap_conn_options'] = array(
>>>>> //  'ssl'         => array(
>>>>> //     'verify_peer'  => true,
>>>>> //     'verify_depth' => 3,
>>>>> //     'cafile'       => '/etc/openssl/certs/ca.crt',
>>>>> //   ),
>>>>> // );
>>>>> 
>>>>>

More information about the dovecot mailing list