tlsv1 alert unknown ca: SSL alert number 48
Dr. Matthias Sitte
matthias at familie-sitte.org
Sat Jun 18 08:45:39 UTC 2016
OK, what if you try to set 'peer_name' to the FQDN in the self-signed
cert AND 'cafile' to your CA file?
What exactly do the debug logs for Roundcube, Dovecot say?
openssl connect output would be helpful, too, as others pointed out as
well.
On 2016-06-17 22:14, Maurizio Dall'Acqua wrote:
> I have tried all the suggestions up till now but the error message is
> still
> there.
>
> I have tried this configuaration for roundcube:
>
> $config['imap_conn_options'] = array(
> 'ssl' => array(
> 'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>',
> 'verify_peer' => true,
> 'verify_depth' => 3,
> // 'cafile' => '/dont/need/to/set/this/option',
> ),
> );
>
> and this one:
>
> $config['imap_conn_options'] = array(
> 'ssl' => array(
> 'verify_peer' => false,
> 'verify_peer_name' => false,
> ),
> );
>
> and this one too:
>
> $config['imap_conn_options'] = array(
> 'ssl' => array(
> 'verify_peer' => true,
> 'verify_depth' => 3,
> 'cafile' => '/path/to/my/self/signed/certificate.pem',
> ),
> );
>
> I'm at a loss :-(
>
>
>
>
>
> On Fri, Jun 17, 2016 at 08:43:11AM +0200, Dr. Matthias Sitte wrote:
>> Solution: Set 'peer_name' in the SSL stream context to the FQDN of the
>> server certificate(s):
>>
>> // IMAP socket context options
>> // See http://php.net/manual/en/context.ssl.php
>> $config['imap_conn_options'] = array(
>> 'ssl' => array(
>> 'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>',
>> 'verify_peer' => true,
>> 'verify_depth' => 3,
>> #'cafile' => '/dont/need/to/set/this/option',
>> ),
>> );
>>
>> // SMTP socket context options
>> // See http://php.net/manual/en/context.ssl.php
>> $config['smtp_conn_options'] = array(
>> 'ssl' => array(
>> 'peer_name' => '<FQDN_OF_POSTFIX_CERTIFICATE>',
>> 'verify_peer' => true,
>> 'verify_depth' => 3,
>> #'cafile' => '/dont/need/to/set/this/option',
>> ),
>> );
>>
>> Works for me.
>>
>> On 2016-06-16 20:43, Maurizio Dall'Acqua wrote:
>> >I think that you are right when you say that the problem may be the
>> >certificate recognition.
>> >
>> >As for Roundcube, I've inserted the uncommented php code that you provided
>> >in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file for
>> >/config/defaults.inc.php. Unfortunately Roundcube doesn't login and
>> >replies
>> > with the message "connection to storage server failed". And the log file
>> >of dovecot gives the reason: unknown certificate.
>> >
>> >In order to solve this problem do you think that I should look into the
>> >configuration file of Squirrelmail/Roundcube or in the config file of
>> >Dovecot?
>> >
>> >
>> >On Wed, Jun 15, 2016 at 05:48:32PM -0400, Gedalya wrote:
>> >>On 06/15/2016 04:26 PM, Maurizio Dall'Acqua wrote:
>> >>> Hi,
>> >>>
>> >>> I have set up a mail server with postfix+dovecot 2.2.13 on my raspberry pi
>> >>> running Raspbian Jassie OS.
>> >>>
>> >>> Now I would like to add an on-line e-mail client like Squirrelmail or
>> >>> Roundcube. I was able to start up these two clients but when I try to login
>> >>> I get this error message in the dovecot log:
>> >>>
>> >>> tlsv1 alert unknown ca: SSL alert number 48
>> >>>
>> >>> But I have inserted the self-signed certificate and key in
>> >>> /etc/dovecot/conf.d/10-master.conf
>> >>>
>> >>> Moreover, I can send and receive e-mails from/to my server, and I can login
>> >>> successfully to dovecot IMAP with Thunderbird.
>> >>>
>> >>> Can somebody give me a clue on how to solve this problem? Any help would me much
>> >>> appreciated.
>> >>>
>> >>> Regards,
>> >>> Maurizio
>> >>
>> >>This could mean that the client has indicated it was unable to verify
>> >>the server's certificate.
>> >>
>> >>With regards to Roundcube, see this in config/defaults.inc.php:
>> >>
>> >>//$config['imap_conn_options'] = array(
>> >>// 'ssl' => array(
>> >>// 'verify_peer' => true,
>> >>// 'verify_depth' => 3,
>> >>// 'cafile' => '/etc/openssl/certs/ca.crt',
>> >>// ),
>> >>// );
>> >>
>> >>
More information about the dovecot
mailing list