Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK

hanasaki at gmail.com hanasaki at gmail.com
Thu Apr 30 21:47:23 EEST 2020 

I would expect the public cert to be imported as a "server" not an "auth"

The attached image shows that TBird wants an httpS url for a webserver, 
for the source.

Ages ago, I think it prompted for "do you want to trust this new cert" 
and YES added it (assuming that is the public key) to the server list.  
A bit confused by this.

<see attached thunderbird image>

On 4/30/20 2:41 PM, Aki Tuomi wrote:
> I see. You need to import the cert into thundebird's trusted ca certs.
>
> Aki
>> On 30/04/2020 21:36 hanasaki at gmail.com <mailto:hanasaki at gmail.com> 
>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com>> wrote:
>>
>>
>> Hello,
>>
>> This is a selfsigned cert. Both of the below methods were used.
>>
>> May I ask for 1. pointer to info setting up "intermediate certs" and
>> where the certfile goes?
>>
>> The objective is to generate a self-signed cert and use it for just
>> internal use with IMAPS dovecot.
>>
>> Separately, what are your thoughts as to why evolution works and
>> thunderbird does not?
>>
>> Thank you,
>>
>> ==1
>>
>> openssl genrsa -out key.pem 2048
>>
>> openssl req -new -sha512 -key key.pem -out csr.csr
>>
>> openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out
>> certificate.pem
>> openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo
>>
>> ==2
>> openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout
>> mykey.key -out mycert.pem
>>
>>
>> On 4/30/20 8:11 AM, Aki Tuomi wrote:
>>>> On 30/04/2020 14:49 hanasaki at gmail.com <mailto:hanasaki at gmail.com> 
>>>> <mailto:hanasaki at gmail.com <mailto:hanasaki at gmail.com>>
>>>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com> 
>>>> <mailto:hanasaki at gmail.com <mailto:hanasaki at gmail.com>>> wrote:
>> >>
>> >> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however
>> >> Evolution, on the exact same system, is working fine with the same
>> >> accounts. Tried recreating the Dovecot cert and also the thunderbird
>> >> accounts from scratch. The OpenSSL raw client works fine as well.
>> >>
>> >> Would someone also confirm the openssl commands to create a selfsigned
>> >> cert for dovecot imaps. They cert created does work with evolution;
>> >> just not thunderbird.
>> >>
>> >> Thoughts?
>> >>
>> >> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> >> certificate: SSL alert number 42
>> >> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth 
>> attempts in
>> >> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> >> certificate: SSL alert number 42, session=<-->
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>> ret=-1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> SSLv3/TLS read client hello
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> SSLv3/TLS write server hello
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> SSLv3/TLS write change cipher spec
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> TLSv1.3 write encrypted extensions
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> SSLv3/TLS write certificate
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> TLSv1.3 write server certificate verify
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> SSLv3/TLS write finished
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, 
>> ret=1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,
>> >> ret=554: fatal bad certificate
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>> ret=-1:
>> >> error
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> >> certificate: SSL alert number 42
>> >> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth
>> >> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:
>> >> SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
>> >> alert bad certificate: SSL alert number 42, session=<--->
>> >>
>> >> reference
>> >> http://forums.debian.net/viewtopic.php?f=5&t=145849 
>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>
>> >> <http://forums.debian.net/viewtopic.php?f=5&t=145849 
>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>>
>>> You are missing intermediate certs from your certfile. Put them after
>>> cert in order towards root.
>>>
>>> ---
>>> Aki Tuomi
>
> ---
> Aki Tuomi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pepknmbpelacdlkn.png
Type: image/png
Size: 45253 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hanasaki.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.vcf>

More information about the dovecot mailing list