hanasaki at gmail.com
2020-Apr-30 11:49 UTC
Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK
Recently thunderbird and Dovecot IMAPS cannot agree on SSL however Evolution, on the exact same system, is working fine with the same accounts. Tried recreating the Dovecot cert and also the thunderbird accounts from scratch. The OpenSSL raw client works fine as well. Would someone also confirm the openssl commands to create a selfsigned cert for dovecot imaps. They cert created does work with evolution; just not thunderbird. Thoughts? Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<--> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write encrypted extensions Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 write server certificate verify Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: TLSv1.3 early data Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, ret=554: fatal bad certificate Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: error Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42 Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate: SSL alert number 42, session=<---> reference http://forums.debian.net/viewtopic.php?f=5&t=145849
<!doctype html> <html><head> <meta charset="UTF-8"> </head><body><div><br></div><blockquote type="cite"><div>On 30/04/2020 14:49 <a href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a> <<a href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>> wrote:</div><div><br></div><div><br></div><div>Recently thunderbird and Dovecot IMAPS cannot agree on SSL however</div><div>Evolution, on the exact same system, is working fine with the same</div><div>accounts. Tried recreating the Dovecot cert and also the thunderbird</div><div>accounts from scratch. The OpenSSL raw client works fine as well.</div><div><br></div><div>Would someone also confirm the openssl commands to create a selfsigned</div><div>cert for dovecot imaps. They cert created does work with evolution;</div><div>just not thunderbird.</div><div><br></div><div>Thoughts?</div><div><br></div><div>Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()</div><div>failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad</div><div>certificate: SSL alert number 42</div><div>Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in</div><div>0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()</div><div>failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad</div><div>certificate: SSL alert number 42, session=<--></div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:</div><div>before SSL initialization</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>before SSL initialization</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:</div><div>before SSL initialization</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>before SSL initialization</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>SSLv3/TLS read client hello</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>SSLv3/TLS write server hello</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>SSLv3/TLS write change cipher spec</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>TLSv1.3 write encrypted extensions</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>SSLv3/TLS write certificate</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>TLSv1.3 write server certificate verify</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>SSLv3/TLS write finished</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>TLSv1.3 early data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:</div><div>TLSv1.3 early data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:</div><div>TLSv1.3 early data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:</div><div>TLSv1.3 early data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:</div><div>TLSv1.3 early data</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,</div><div>ret=554: fatal bad certificate</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1:</div><div>error</div><div>Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()</div><div>failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad</div><div>certificate: SSL alert number 42</div><div>Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth</div><div>attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:</div><div>SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3</div><div>alert bad certificate: SSL alert number 42, session=<---></div><div><br></div><div>reference</div><div><a href="http://forums.debian.net/viewtopic.php?f=5&t=145849" rel="noopener" target="_blank">http://forums.debian.net/viewtopic.php?f=5&t=145849</a></div></blockquote><div><br></div><div>You are missing intermediate certs from your certfile. Put them after cert in order towards root.</div><div class="io-ox-signature"><pre>--- Aki Tuomi</pre></div></body></html>
hanasaki at gmail.com
2020-Apr-30 18:36 UTC
Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK
Hello, This is a selfsigned cert. Both of the below methods were used. May I ask for 1. pointer to info setting up "intermediate certs" and where the certfile goes? The objective is to generate a self-signed cert and use it for just internal use with IMAPS dovecot. Separately, what are your thoughts as to why evolution works and thunderbird does not? Thank you, ==1 openssl genrsa -out key.pem 2048 openssl req -new -sha512 -key key.pem -out csr.csr openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out certificate.pem openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA" && echo ==2 openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout mykey.key -out mycert.pem On 4/30/20 8:11 AM, Aki Tuomi wrote:> >> On 30/04/2020 14:49 hanasaki at gmail.com <mailto:hanasaki at gmail.com> >> <hanasaki at gmail.com <mailto:hanasaki at gmail.com>> wrote: >> >> >> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however >> Evolution, on the exact same system, is working fine with the same >> accounts. Tried recreating the Dovecot cert and also the thunderbird >> accounts from scratch. The OpenSSL raw client works fine as well. >> >> Would someone also confirm the openssl commands to create a selfsigned >> cert for dovecot imaps. They cert created does work with evolution; >> just not thunderbird. >> >> Thoughts? >> >> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept() >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad >> certificate: SSL alert number 42 >> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts in >> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept() >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad >> certificate: SSL alert number 42, session=<--> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1: >> before SSL initialization >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> before SSL initialization >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: >> before SSL initialization >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> before SSL initialization >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> SSLv3/TLS read client hello >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> SSLv3/TLS write server hello >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> SSLv3/TLS write change cipher spec >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> TLSv1.3 write encrypted extensions >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> SSLv3/TLS write certificate >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> TLSv1.3 write server certificate verify >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> SSLv3/TLS write finished >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: >> TLSv1.3 early data >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: >> TLSv1.3 early data >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: >> TLSv1.3 early data >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: >> TLSv1.3 early data >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: >> TLSv1.3 early data >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004, >> ret=554: fatal bad certificate >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: >> error >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept() >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad >> certificate: SSL alert number 42 >> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth >> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking: >> SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 >> alert bad certificate: SSL alert number 42, session=<---> >> >> reference >> http://forums.debian.net/viewtopic.php?f=5&t=145849 >> <http://forums.debian.net/viewtopic.php?f=5&t=145849> > > You are missing intermediate certs from your certfile. Put them after > cert in order towards root. > > --- > Aki Tuomi >-------------- next part -------------- A non-text attachment was scrubbed... Name: hanasaki.vcf Type: text/x-vcard Size: 4 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20200430/067816da/attachment-0001.vcf>
Reasonably Related Threads
- Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK
- Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK
- Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK
- Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird