My apologies if this is a repeat but my search of the archive did not turn it up in the recent past. If this has been covered just point me at the previous thread, please. I am running a small email site which I am moving from uw-imapd and Solaris to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed certificate for this site. I am using Thunderbird as the test client. I've tried both the pre-built snakeoil certificate and building a special one for dovecot. In /var/log/mail.err I keep getting what I am interpreting as a missing CA cert. The message is: dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 The certificate was created by: openssl req -new -x509 -days 365 -nodes -out /etc/ssl/certs/dovecot.pem -keyout /etc/ssl/private/dovecot.pem The Dovecot version is 2.2.22 (fe789d2) The Ubuntu version is 16.04 LTS current patches. *Darryl Baker*
From: Darryl Baker <darryl.p.baker at gmail.com> To: dovecot at dovecot.org Sent: Friday, September 23, 2016 6:07 PM Subject: Self-Signed Certificate issue I keep getting what I am interpreting as a missing CA cert. The message is: dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 That's because your client doesn't know about the certificate *issuer* so it doesn't trust it (the certificate), it's not an *authority* (the A in CA). What you need to do is include the *issuer's* certificate in your server's. But even then, the issuer was yourself, and your are not trusted either on the client's side. So what you need to do is install the root certificate in the client's machine so that certificates signed with it are trusted. When root cert is trusted on the client side, it will trust the intermediate (issuer) certificate because it was signed by it, and trust the server's certificate because it was signed by the intermediate (this is why it's called a certificate *chain* which often has only one intermediate CA although many intermediates are possible). So it's ROOT CA CERT >>signs>> INTERMEDIATE CA CERT >>signs>> SERVER CERT
Building a new certificate as described in a previous email worked. *Darryl Baker* On Sun, Sep 25, 2016 at 5:19 AM, chaouche yacine <yacinechaouche at yahoo.com> wrote:> *From:* Darryl Baker <darryl.p.baker at gmail.com> > > > *To:* dovecot at dovecot.org > *Sent:* Friday, September 23, 2016 6:07 PM > *Subject:* Self-Signed Certificate issue > > I keep getting what I am interpreting as > a missing CA cert. The message is: > > dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL > routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 > > That's because your client doesn't know about the certificate *issuer* so > it doesn't trust it (the certificate), it's not an *authority* (the A in > CA). What you need to do is include the *issuer's* certificate in your > server's. But even then, the issuer was yourself, and your are not trusted > either on the client's side. So what you need to do is install the root > certificate in the client's machine so that certificates signed with it are > trusted. When root cert is trusted on the client side, it will trust the > intermediate (issuer) certificate because it was signed by it, and trust > the server's certificate because it was signed by the intermediate (this is > why it's called a certificate *chain* which often has only one intermediate > CA although many intermediates are possible). > > So it's ROOT CA CERT >>signs>> INTERMEDIATE CA CERT >>signs>> SERVER CERT > > > >
On 24/09/16 03:07, Darryl Baker wrote:> I am running a small email site which I am moving from uw-imapd and Solaris > to Ubuntu and Dovecot imaps and pop3s. I am trying to use a self-signed > certificate for this site. I am using Thunderbird as the test client. I've > tried both the pre-built snakeoil certificate and building a special one > for dovecot. In /var/log/mail.err I keep getting what I am interpreting as > a missing CA cert. The message is:Why? You can get a "proper" certificate with Letsencrypt and never have to worry about all the issues with self-signed certificates ever again! Kind Regards AndrewM -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 213 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20161114/49f83c26/attachment.sig>