Hello Folks, my StartCom SSL-Certificate expires soon and so I wanted to switch to Let's Encrypt Certificates instead. Unfortunatelly Thunderbird seems not to like it, although all -tested- other Clients work without any problems. When I connect with Thunderbird it sends an "Encrypted Alert" directly after the TLS handshake although Dovecot wants to continue the session. In the Dovecot Log it says: Feb 17 17:27:17 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [82.100.242.26] Feb 17 17:27:17 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [82.100.242.26] Feb 17 17:27:17 imap-login: Warning: SSL alert: where=0x4004, ret=554: fatal bad certificate [82.100.242.26] But the certificate is okay, cause it works with other Mailclients and openssl also says so. What certificate is Thunderbird complaining about? Thunderbird says something like "There's no supported authentication method". I don't use any Certificates for Client Authentication, neither in Dovecot nor in Thunderbird. When I do, it fails the same way. Weirdly my friend uses the same Dovecot Version with Let's Encrypt on his Server and it works with Thunderbird without any flaws. Mine fails the same way in his Thunderbird and also in a fresh installation. After two weeks of investigating I still have no clue why it behaves like this. I uploaded two Wireshark tracefiles, further logs and dovecot -n, may be someone sees any possible reasons for this weird behavior or has any further tips on solving this issue. https://sebode-online.de/dovecot-letsencrypt/ Every hint is highly appreciated! Best Regards Bastian -- Bastian Sebode Fachinformatiker Systemintegration LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de LINET in den sozialen Netzwerken: www.twitter.com/linetservices | www.facebook.com/linetservices Wissenswertes aus der IT-Welt: www.linet-services.de/blog/ Gesch?ftsf?hrung: Timo Springmann, Mirko Savic und Moritz Bunkus HR B 9170 Amtsgericht Braunschweig USt-IdNr. DE 259 526 516
Hello, I had the same problem. LE is not in the CA list. Best Regards, On 17.02.2017 17:58, Bastian Sebode wrote:> Hello Folks, > > my StartCom SSL-Certificate expires soon and so I wanted to switch to > Let's Encrypt Certificates instead. Unfortunatelly Thunderbird seems not > to like it, although all -tested- other Clients work without any problems. > > When I connect with Thunderbird it sends an "Encrypted Alert" directly > after the TLS handshake although Dovecot wants to continue the session. > > In the Dovecot Log it says: > Feb 17 17:27:17 imap-login: Debug: SSL: where=0x20, ret=1: SSL > negotiation finished successfully [82.100.242.26] > Feb 17 17:27:17 imap-login: Debug: SSL: where=0x2002, ret=1: SSL > negotiation finished successfully [82.100.242.26] > Feb 17 17:27:17 imap-login: Warning: SSL alert: where=0x4004, ret=554: > fatal bad certificate [82.100.242.26] > > But the certificate is okay, cause it works with other Mailclients and > openssl also says so. What certificate is Thunderbird complaining about? > > Thunderbird says something like "There's no supported authentication > method". I don't use any Certificates for Client Authentication, neither > in Dovecot nor in Thunderbird. When I do, it fails the same way. > > Weirdly my friend uses the same Dovecot Version with Let's Encrypt on > his Server and it works with Thunderbird without any flaws. Mine fails > the same way in his Thunderbird and also in a fresh installation. > > After two weeks of investigating I still have no clue why it behaves > like this. > > I uploaded two Wireshark tracefiles, further logs and dovecot -n, may be > someone sees any possible reasons for this weird behavior or has any > further tips on solving this issue. > https://sebode-online.de/dovecot-letsencrypt/ > > Every hint is highly appreciated! > > Best Regards > Bastian >
On 2/17/17 8:58 AM, Bastian Sebode wrote:> I uploaded two Wireshark tracefiles, further logs and dovecot -nLooking at your dovecot -n, you're using two different files here: ssl_cert = </etc/ssl/sebode-online.de/chain.pem ssl_key = </etc/ssl/sebode-online.de/key.pem Are you sure these two files match, and contain the right things in the right order? We use a single PEM file as input for both of these parameters, and that PEM file contains, in this order: -----BEGIN RSA PRIVATE KEY----- ... -----BEGIN CERTIFICATE----- ... -----BEGIN CERTIFICATE----- ... where the first BEGIN CERTIFICATE is the specific hostname one, and the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate certificate that ends with "DNFu0Qg==". You're also manually specifying these non-default parameters: ssl_cipher_list = ... ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 For testing, I would simplify. Does it work without any of those three things set? -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
Hey Robert, thanks for your reply. Am 17.02.2017 um 19:28 schrieb Robert L Mathews:> Looking at your dovecot -n, you're using two different files here: > > ssl_cert = </etc/ssl/sebode-online.de/chain.pem > ssl_key = </etc/ssl/sebode-online.de/key.pem > > Are you sure these two files match, and contain the right things in the > right order? >Yes, unfortunately I'm sure that everything has the right order. As you can see in the trace, both certificates (mine and the intermediate) get transferred to the client on connection.> We use a single PEM file as input for both of these parameters, and that > PEM file contains, in this order: > > -----BEGIN RSA PRIVATE KEY----- > ... > -----BEGIN CERTIFICATE----- > ... > -----BEGIN CERTIFICATE----- > > ... where the first BEGIN CERTIFICATE is the specific hostname one, and > the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate > certificate that ends with "DNFu0Qg==". >Tried that, but without success. But your usage doesn't seem right to me. The parameters are not called ssl_cert and ssl_key for nothing. ;-) Normally you don't want your private key to have any other permissions than 600.> You're also manually specifying these non-default parameters: > > ssl_cipher_list = ... > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 > > For testing, I would simplify. Does it work without any of those three > things set? >Tried this before. I set all SSL specific settings exactly like my friend where it works without a problem. But it doesn't work for me. Thanks anyway for your effort! Bastian -- Bastian Sebode Fachinformatiker Systemintegration LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de LINET in den sozialen Netzwerken: www.twitter.com/linetservices | www.facebook.com/linetservices Wissenswertes aus der IT-Welt: www.linet-services.de/blog/ Gesch?ftsf?hrung: Timo Springmann, Mirko Savic und Moritz Bunkus HR B 9170 Amtsgericht Braunschweig USt-IdNr. DE 259 526 516
Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ? Bastian, are you using an old version of thunderbird ? googling for "SSL alert number 42" gave me two results indicating a bug in thunderbird versions 31,32 and 33. You can check these links if you wish : * http://www.dovecot.org/list/dovecot/2014-July/097133.html * http://unix.stackexchange.com/questions/123367/thunderbird-fails-to-connect-to-dovecot-and-postfix -- Yassine On Friday, February 17, 2017 7:29 PM, Robert L Mathews <lists at tigertech.com> wrote: On 2/17/17 8:58 AM, Bastian Sebode wrote:> I uploaded two Wireshark tracefiles, further logs and dovecot -nLooking at your dovecot -n, you're using two different files here: ssl_cert = </etc/ssl/sebode-online.de/chain.pem ssl_key = </etc/ssl/sebode-online.de/key.pem Are you sure these two files match, and contain the right things in the right order? We use a single PEM file as input for both of these parameters, and that PEM file contains, in this order: -----BEGIN RSA PRIVATE KEY----- ... -----BEGIN CERTIFICATE----- ... -----BEGIN CERTIFICATE----- ... where the first BEGIN CERTIFICATE is the specific hostname one, and the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate certificate that ends with "DNFu0Qg==". You're also manually specifying these non-default parameters: ssl_cipher_list = ... ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 For testing, I would simplify. Does it work without any of those three things set? -- Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
On 2017-02-17 (09:58 MST), Bastian Sebode <b.sebode at linet-services.de> wrote:> > Weirdly my friend uses the same Dovecot Version with Let's Encrypt on > his Server and it works with Thunderbird without any flaws. Mine fails > the same way in his Thunderbird and also in a fresh installation.Well, at least you?ve narrowed the fault down to Thrunderbird. Are you using TB through a proxy? Do you have a corporate LAN or an anti-virus that is behaving as a man-in-the-middle (Anything that claims to protect your web-browsing)? Have you tried from a different connection? Maybe on a different machine with ?identical? settings? Usually errors like these indicate you are not getting the secured connection you think you are. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
On 2017-02-17 (11:28 MST), Robert L Mathews <lists at tigertech.com> wrote:> > ssl_cert = </etc/ssl/sebode-online.de/chain.pem > ssl_key = </etc/ssl/sebode-online.de/key.pemssl_cert = </usr/local/etc/dehydrated/certs/[domain]/fullchain.pem ssl_key = </usr/local/etc/dehydrated/certs/[domain]/privkey.pem Seems to work just fine for me.> You're also manually specifying these non-default parameters: > > ssl_cipher_list = ... > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 > > For testing, I would simplify. Does it work without any of those three > things set?ssl_protocols = !SSLv2 !SSLv3 is a sensible setting (and should be the default) a no one should still be supporting SSLv2 or SSLv3. I do not have the other settings. -- Apple broke AppleScripting signatures in Mail.app, so no random signatures.
Hello Basti. Maybe you tried LE too early when it was not universally accepted
as a trusted CA ?
On Monday, February 20, 2017 2:22 PM, basti <basti at
unix-solution.de> wrote:
Hello,
I had the same problem. LE is not in the CA list.
Best Regards,
On 17.02.2017 17:58, Bastian Sebode wrote:> Hello Folks,
>
> my StartCom SSL-Certificate expires soon and so I wanted to switch to
> Let's Encrypt Certificates instead. Unfortunatelly Thunderbird seems
not
> to like it, although all -tested- other Clients work without any problems.
>
> When I connect with Thunderbird it sends an "Encrypted Alert"
directly
> after the TLS handshake although Dovecot wants to continue the session.
>
> In the Dovecot Log it says:
> Feb 17 17:27:17 imap-login: Debug: SSL: where=0x20, ret=1: SSL
> negotiation finished successfully [82.100.242.26]
> Feb 17 17:27:17 imap-login: Debug: SSL: where=0x2002, ret=1: SSL
> negotiation finished successfully [82.100.242.26]
> Feb 17 17:27:17 imap-login: Warning: SSL alert: where=0x4004, ret=554:
> fatal bad certificate [82.100.242.26]
>
> But the certificate is okay, cause it works with other Mailclients and
> openssl also says so. What certificate is Thunderbird complaining about?
>
> Thunderbird says something like "There's no supported
authentication
> method". I don't use any Certificates for Client Authentication,
neither
> in Dovecot nor in Thunderbird. When I do, it fails the same way.
>
> Weirdly my friend uses the same Dovecot Version with Let's Encrypt on
> his Server and it works with Thunderbird without any flaws. Mine fails
> the same way in his Thunderbird and also in a fresh installation.
>
> After two weeks of investigating I still have no clue why it behaves
> like this.
>
> I uploaded two Wireshark tracefiles, further logs and dovecot -n, may be
> someone sees any possible reasons for this weird behavior or has any
> further tips on solving this issue.
> https://sebode-online.de/dovecot-letsencrypt/
>
> Every hint is highly appreciated!
>
> Best Regards
> Bastian
>