Hey Robert, thanks for your reply. Am 17.02.2017 um 19:28 schrieb Robert L Mathews:> Looking at your dovecot -n, you're using two different files here: > > ssl_cert = </etc/ssl/sebode-online.de/chain.pem > ssl_key = </etc/ssl/sebode-online.de/key.pem > > Are you sure these two files match, and contain the right things in the > right order? >Yes, unfortunately I'm sure that everything has the right order. As you can see in the trace, both certificates (mine and the intermediate) get transferred to the client on connection.> We use a single PEM file as input for both of these parameters, and that > PEM file contains, in this order: > > -----BEGIN RSA PRIVATE KEY----- > ... > -----BEGIN CERTIFICATE----- > ... > -----BEGIN CERTIFICATE----- > > ... where the first BEGIN CERTIFICATE is the specific hostname one, and > the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate > certificate that ends with "DNFu0Qg==". >Tried that, but without success. But your usage doesn't seem right to me. The parameters are not called ssl_cert and ssl_key for nothing. ;-) Normally you don't want your private key to have any other permissions than 600.> You're also manually specifying these non-default parameters: > > ssl_cipher_list = ... > ssl_prefer_server_ciphers = yes > ssl_protocols = !SSLv2 !SSLv3 > > For testing, I would simplify. Does it work without any of those three > things set? >Tried this before. I set all SSL specific settings exactly like my friend where it works without a problem. But it doesn't work for me. Thanks anyway for your effort! Bastian -- Bastian Sebode Fachinformatiker Systemintegration LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de LINET in den sozialen Netzwerken: www.twitter.com/linetservices | www.facebook.com/linetservices Wissenswertes aus der IT-Welt: www.linet-services.de/blog/ Gesch?ftsf?hrung: Timo Springmann, Mirko Savic und Moritz Bunkus HR B 9170 Amtsgericht Braunschweig USt-IdNr. DE 259 526 516
On 2017.02.17. 22:31, Bastian Sebode wrote:> Hey Robert, > > thanks for your reply. > > Am 17.02.2017 um 19:28 schrieb Robert L Mathews: >> Looking at your dovecot -n, you're using two different files here: >> >> ssl_cert = </etc/ssl/sebode-online.de/chain.pem >> ssl_key = </etc/ssl/sebode-online.de/key.pem >>Are You sure, chain.pem contains your cert + immediate? By default certbot in chain.pem includes only itermediate cert's and if you wan't everything, it's included in fullchain. -- KSB
Usually with LE, the filename is fullchain.pem, not chain.pem. Can you please doublecheck this? Also, try openssl s_client -connect hostname:143 -starttls imap Aki> On February 17, 2017 at 10:31 PM Bastian Sebode <b.sebode at linet-services.de> wrote: > > > Hey Robert, > > thanks for your reply. > > Am 17.02.2017 um 19:28 schrieb Robert L Mathews: > > Looking at your dovecot -n, you're using two different files here: > > > > ssl_cert = </etc/ssl/sebode-online.de/chain.pem > > ssl_key = </etc/ssl/sebode-online.de/key.pem > > > > Are you sure these two files match, and contain the right things in the > > right order? > > > Yes, unfortunately I'm sure that everything has the right order. As you > can see in the trace, both certificates (mine and the intermediate) get > transferred to the client on connection. > > > We use a single PEM file as input for both of these parameters, and that > > PEM file contains, in this order: > > > > -----BEGIN RSA PRIVATE KEY----- > > ... > > -----BEGIN CERTIFICATE----- > > ... > > -----BEGIN CERTIFICATE----- > > > > ... where the first BEGIN CERTIFICATE is the specific hostname one, and > > the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate > > certificate that ends with "DNFu0Qg==". > > > Tried that, but without success. But your usage doesn't seem right to > me. The parameters are not called ssl_cert and ssl_key for nothing. ;-) > Normally you don't want your private key to have any other permissions > than 600. > > > You're also manually specifying these non-default parameters: > > > > ssl_cipher_list = ... > > ssl_prefer_server_ciphers = yes > > ssl_protocols = !SSLv2 !SSLv3 > > > > For testing, I would simplify. Does it work without any of those three > > things set? > > > Tried this before. I set all SSL specific settings exactly like my > friend where it works without a problem. But it doesn't work for me. > > Thanks anyway for your effort! > Bastian > -- > Bastian Sebode > Fachinformatiker Systemintegration > > LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig > Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de > > LINET in den sozialen Netzwerken: > www.twitter.com/linetservices | www.facebook.com/linetservices > Wissenswertes aus der IT-Welt: www.linet-services.de/blog/ > > Gesch?ftsf?hrung: Timo Springmann, Mirko Savic und Moritz Bunkus > HR B 9170 Amtsgericht Braunschweig > > USt-IdNr. DE 259 526 516
Hey. Thanks again for your help. I took the "dovecot -n" while the StartSSL Certificate was active, so the chain.pem was correct. Finally I found the issue! :-) But I still have no idea why the problem happens with Thunderbird. I used dehydrated to fetch the certificates from Let's Encrypt and as I said, it works for most clients pretty well. (Tried: Mulberry, Claws Mail, Outlook 2010, Android (HTC), iPhone, ...) Also it works perfectly with all my HTTPS-Services Whatever, Thunderbird didn't like that cert saying "bad certificate" (SSL Alert 42). Now I fetched the cert with Certbot and it works. Really strange though! I checked for any obvious differences between the certificates and private keys, but couldn't find any. So my solution will be to use certbot instead of dehydrated... :-/ Worst thing is, that a Microsoft Blog article (https://blogs.msdn.microsoft.com/kaushal/2012/10/05/ssltls-alert-protocol-the-alert-codes/) led me to the right direction.... ;-) -- 42 bad_certificate "There is a problem with the certificate, for example, a certificate is corrupt, or a certificate contains signatures that cannot be verified." -- Peace Bastian Am 17.02.2017 um 21:58 schrieb Aki Tuomi:> Usually with LE, the filename is fullchain.pem, not chain.pem. > > Can you please doublecheck this? > > Also, try > > openssl s_client -connect hostname:143 -starttls imap > > Aki > >> On February 17, 2017 at 10:31 PM Bastian Sebode <b.sebode at linet-services.de> wrote: >> >> >> Hey Robert, >> >> thanks for your reply. >> >> Am 17.02.2017 um 19:28 schrieb Robert L Mathews: >>> Looking at your dovecot -n, you're using two different files here: >>> >>> ssl_cert = </etc/ssl/sebode-online.de/chain.pem >>> ssl_key = </etc/ssl/sebode-online.de/key.pem >>> >>> Are you sure these two files match, and contain the right things in the >>> right order? >>> >> Yes, unfortunately I'm sure that everything has the right order. As you >> can see in the trace, both certificates (mine and the intermediate) get >> transferred to the client on connection. >> >>> We use a single PEM file as input for both of these parameters, and that >>> PEM file contains, in this order: >>> >>> -----BEGIN RSA PRIVATE KEY----- >>> ... >>> -----BEGIN CERTIFICATE----- >>> ... >>> -----BEGIN CERTIFICATE----- >>> >>> ... where the first BEGIN CERTIFICATE is the specific hostname one, and >>> the second BEGIN CERTIFICATE is the Let's Encrypt X3 intermediate >>> certificate that ends with "DNFu0Qg==". >>> >> Tried that, but without success. But your usage doesn't seem right to >> me. The parameters are not called ssl_cert and ssl_key for nothing. ;-) >> Normally you don't want your private key to have any other permissions >> than 600. >> >>> You're also manually specifying these non-default parameters: >>> >>> ssl_cipher_list = ... >>> ssl_prefer_server_ciphers = yes >>> ssl_protocols = !SSLv2 !SSLv3 >>> >>> For testing, I would simplify. Does it work without any of those three >>> things set? >>> >> Tried this before. I set all SSL specific settings exactly like my >> friend where it works without a problem. But it doesn't work for me. >> >> Thanks anyway for your effort! >> Bastian >> -- >> Bastian Sebode >> Fachinformatiker Systemintegration >> >> LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig >> Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de >> >> LINET in den sozialen Netzwerken: >> www.twitter.com/linetservices | www.facebook.com/linetservices >> Wissenswertes aus der IT-Welt: www.linet-services.de/blog/ >> >> Gesch?ftsf?hrung: Timo Springmann, Mirko Savic und Moritz Bunkus >> HR B 9170 Amtsgericht Braunschweig >> >> USt-IdNr. DE 259 526 516-- Bastian Sebode Fachinformatiker Systemintegration LINET Services GmbH | Cyriaksring 10a | 38118 Braunschweig Tel. 0531-180508-0 | Fax 0531-180508-29 | http://www.linet-services.de LINET in den sozialen Netzwerken: www.twitter.com/linetservices | www.facebook.com/linetservices Wissenswertes aus der IT-Welt: www.linet-services.de/blog/ Gesch?ftsf?hrung: Timo Springmann, Mirko Savic und Moritz Bunkus HR B 9170 Amtsgericht Braunschweig USt-IdNr. DE 259 526 516