<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I would expect the public cert to be imported as a "server" not
an "auth"</p>
<p>The attached image shows that TBird wants an httpS url for a
webserver, for the source.</p>
<p>Ages ago, I think it prompted for "do you want to trust this new
cert" and YES added it (assuming that is the public key) to the
server list. A bit confused by this.<br>
</p>
<p><see attached thunderbird image><br>
</p>
<p><img src="cid:part1.FBC7C8DC.5E9EBC61@gmail.com" alt=""></p>
<div class="moz-cite-prefix">On 4/30/20 2:41 PM, Aki Tuomi wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2106456658.645.1588272062809@appsuite-dev-gw2.open-xchange.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<div>I see. You need to import the cert into thundebird's trusted
ca certs.</div>
<div><br>
</div>
<div>Aki</div>
<blockquote type="cite">
<div>On 30/04/2020 21:36 <a href="mailto:hanasaki@gmail.com"
moz-do-not-send="true">hanasaki@gmail.com</a> <<a
href="mailto:hanasaki@gmail.com" moz-do-not-send="true">hanasaki@gmail.com</a>>
wrote:</div>
<div><br>
</div>
<div><br>
</div>
<div>Hello,</div>
<div><br>
</div>
<div>This is a selfsigned cert. Both of the below methods were
used.</div>
<div><br>
</div>
<div>May I ask for 1. pointer to info setting up "intermediate
certs" and</div>
<div>where the certfile goes?</div>
<div><br>
</div>
<div>The objective is to generate a self-signed cert and use it
for just</div>
<div>internal use with IMAPS dovecot.</div>
<div><br>
</div>
<div>Separately, what are your thoughts as to why evolution
works and</div>
<div>thunderbird does not?</div>
<div><br>
</div>
<div>Thank you,</div>
<div><br>
</div>
<div>==1</div>
<div><br>
</div>
<div>openssl genrsa -out key.pem 2048</div>
<div><br>
</div>
<div>openssl req -new -sha512 -key key.pem -out csr.csr</div>
<div><br>
</div>
<div>openssl req -x509 -sha512 -days 365 -key key.pem -in
csr.csr -out</div>
<div>certificate.pem</div>
<div>openssl req -in csr.csr -text -noout | grep -i
"Signature.*SHA" && echo</div>
<div><br>
</div>
<div>==2</div>
<div>openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes
-keyout</div>
<div>mykey.key -out mycert.pem</div>
<div><br>
</div>
<div><br>
</div>
<div>On 4/30/20 8:11 AM, Aki Tuomi wrote:</div>
<blockquote type="cite">
<blockquote type="cite">
<div>On 30/04/2020 14:49 <a
href="mailto:hanasaki@gmail.com" moz-do-not-send="true">hanasaki@gmail.com</a>
<mailto:<a href="mailto:hanasaki@gmail.com"
moz-do-not-send="true">hanasaki@gmail.com</a>></div>
<div><<a href="mailto:hanasaki@gmail.com"
moz-do-not-send="true">hanasaki@gmail.com</a>
<mailto:<a href="mailto:hanasaki@gmail.com"
moz-do-not-send="true">hanasaki@gmail.com</a>>>
wrote:</div>
</blockquote>
</blockquote>
<div>>></div>
<div>>> Recently thunderbird and Dovecot IMAPS cannot
agree on SSL however</div>
<div>>> Evolution, on the exact same system, is working
fine with the same</div>
<div>>> accounts. Tried recreating the Dovecot cert and
also the thunderbird</div>
<div>>> accounts from scratch. The OpenSSL raw client
works fine as well.</div>
<div>>></div>
<div>>> Would someone also confirm the openssl commands to
create a selfsigned</div>
<div>>> cert for dovecot imaps. They cert created does
work with evolution;</div>
<div>>> just not thunderbird.</div>
<div>>></div>
<div>>> Thoughts?</div>
<div>>></div>
<div>>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL
error: SSL_accept()</div>
<div>>> failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad</div>
<div>>> certificate: SSL alert number 42</div>
<div>>> Apr 8 18:10:18 hh dovecot: imap-login:
Disconnected (no auth attempts in</div>
<div>>> 0 secs): user=<>, rip=000, lip=0000 TLS
handshaking: SSL_accept()</div>
<div>>> failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad</div>
<div>>> certificate: SSL alert number 42,
session=<--></div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x10, ret=1:</div>
<div>>> before SSL initialization</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> before SSL initialization</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div>
<div>>> before SSL initialization</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> before SSL initialization</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> SSLv3/TLS read client hello</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> SSLv3/TLS write server hello</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> SSLv3/TLS write change cipher spec</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> TLSv1.3 write encrypted extensions</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> SSLv3/TLS write certificate</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> TLSv1.3 write server certificate verify</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> SSLv3/TLS write finished</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1:</div>
<div>>> TLSv1.3 early data</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div>
<div>>> TLSv1.3 early data</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div>
<div>>> TLSv1.3 early data</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div>
<div>>> TLSv1.3 early data</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div>
<div>>> TLSv1.3 early data</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL
alert: where=0x4004,</div>
<div>>> ret=554: fatal bad certificate</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1:</div>
<div>>> error</div>
<div>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL
error: SSL_accept()</div>
<div>>> failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad</div>
<div>>> certificate: SSL alert number 42</div>
<div>>> Apr 8 18:10:19 firewall dovecot: imap-login:
Disconnected (no auth</div>
<div>>> attempts in 0 secs): user=<>, rip=000,
lip=00, TLS handshaking:</div>
<div>>> SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3</div>
<div>>> alert bad certificate: SSL alert number 42,
session=<---></div>
<div>>></div>
<div>>> reference</div>
<div>>> <a
href="http://forums.debian.net/viewtopic.php?f=5&t=145849"
rel="noopener" target="_blank" moz-do-not-send="true">http://forums.debian.net/viewtopic.php?f=5&t=145849</a></div>
<div>>> <<a
href="http://forums.debian.net/viewtopic.php?f=5&t=145849"
rel="noopener" target="_blank" moz-do-not-send="true">http://forums.debian.net/viewtopic.php?f=5&t=145849</a>></div>
<blockquote type="cite">
<div>You are missing intermediate certs from your certfile.
Put them after</div>
<div>cert in order towards root.</div>
<div><br>
</div>
<div>---</div>
<div>Aki Tuomi</div>
</blockquote>
</blockquote>
<div><br>
</div>
<div class="io-ox-signature">
<pre>---
Aki Tuomi</pre>
</div>
</blockquote>
</body>
</html>