Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK

Reio Remma reio at mrstuudio.ee
Thu Apr 30 21:44:04 EEST 2020 

For internal use I've installed the private CA cert on whatever clients 
I'm using (Thunderbird, browsers). That way you don't need to make 
exceptions every time a certificate changes.

Good luck,
Reio

On 30.04.2020 21:36, hanasaki at gmail.com wrote:
> Hello,
>
> This is a selfsigned cert.  Both of the below methods were used.
>
> May I ask for 1. pointer to info setting up "intermediate certs" and 
> where the certfile goes?
>
> The objective is to generate a self-signed cert and use it for just 
> internal use with IMAPS dovecot.
>
> Separately, what are your thoughts as to why evolution works and 
> thunderbird does not?
>
> Thank you,
>
> ==1
> openssl genrsa -out key.pem 2048
> openssl req -new -sha512 -key key.pem -out csr.csr
> openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out 
> certificate.pem
> openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo
>
> ==2
> openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout 
> mykey.key -out mycert.pem
>
>
> On 4/30/20 8:11 AM, Aki Tuomi wrote:
>>
>>> On 30/04/2020 14:49 hanasaki at gmail.com <mailto:hanasaki at gmail.com> 
>>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com>> wrote:
>>>
>>>
>>> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however
>>> Evolution, on the exact same system, is working fine with the same
>>> accounts. Tried recreating the Dovecot cert and also the thunderbird
>>> accounts from scratch. The OpenSSL raw client works fine as well.
>>>
>>> Would someone also confirm the openssl commands to create a selfsigned
>>> cert for dovecot imaps. They cert created does work with evolution;
>>> just not thunderbird.
>>>
>>> Thoughts?
>>>
>>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>>> certificate: SSL alert number 42
>>> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth 
>>> attempts in
>>> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()
>>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>>> certificate: SSL alert number 42, session=<-->
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
>>> before SSL initialization
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> before SSL initialization
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> before SSL initialization
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> before SSL initialization
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> SSLv3/TLS read client hello
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> SSLv3/TLS write server hello
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> SSLv3/TLS write change cipher spec
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> TLSv1.3 write encrypted extensions
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> SSLv3/TLS write certificate
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> TLSv1.3 write server certificate verify
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> SSLv3/TLS write finished
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,
>>> ret=554: fatal bad certificate
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> error
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>>> certificate: SSL alert number 42
>>> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth
>>> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:
>>> SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
>>> alert bad certificate: SSL alert number 42, session=<--->
>>>
>>> reference
>>> http://forums.debian.net/viewtopic.php?f=5&t=145849 
>>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>
>>
>> You are missing intermediate certs from your certfile. Put them after 
>> cert in order towards root.
>>
>> ---
>> Aki Tuomi
>>

More information about the dovecot mailing list