dovecot - May 2020 - Dovecot IMAPS : Thunderbird SSL cert issue / Evolution OK

Hello,

This is a selfsigned cert.  Both of the below methods were used.

May I ask for 1. pointer to info setting up "intermediate certs" and 
where the certfile goes?

The objective is to generate a self-signed cert and use it for just 
internal use with IMAPS dovecot.

Separately, what are your thoughts as to why evolution works and 
thunderbird does not?

Thank you,

==1 

openssl genrsa -out key.pem 2048 

openssl req -new -sha512 -key key.pem -out csr.csr 

openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out 
certificate.pem
openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA"
&& echo

==2
openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout 
mykey.key -out mycert.pem


On 4/30/20 8:11 AM, Aki Tuomi wrote:
> 
>> On 30/04/2020 14:49 hanasaki at gmail.com <mailto:hanasaki at
gmail.com>
>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com>>
wrote:
>>
>>
>> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however
>> Evolution, on the exact same system, is working fine with the same
>> accounts. Tried recreating the Dovecot cert and also the thunderbird
>> accounts from scratch. The OpenSSL raw client works fine as well.
>>
>> Would someone also confirm the openssl commands to create a selfsigned
>> cert for dovecot imaps. They cert created does work with evolution;
>> just not thunderbird.
>>
>> Thoughts?
>>
>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42
>> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth attempts
in
>> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42, session=<-->
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> before SSL initialization
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS read client hello
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write server hello
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write change cipher spec
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 write encrypted extensions
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write certificate
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 write server certificate verify
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> SSLv3/TLS write finished
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001, ret=1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> TLSv1.3 early data
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert: where=0x4004,
>> ret=554: fatal bad certificate
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:
>> error
>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error: SSL_accept()
>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>> certificate: SSL alert number 42
>> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth
>> attempts in 0 secs): user=<>, rip=000, lip=00, TLS handshaking:
>> SSL_accept() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
>> alert bad certificate: SSL alert number 42, session=<--->
>>
>> reference
>> http://forums.debian.net/viewtopic.php?f=5&t=145849 
>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>
> 
> You are missing intermediate certs from your certfile. Put them after 
> cert in order towards root.
> 
> ---
> Aki Tuomi
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hanasaki.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/067816da/attachment-0001.vcf>

<!doctype html>
<html><head>
    <meta charset="UTF-8">
</head><body><div>I see. You need to import the cert into
thundebird's trusted ca
certs.</div><div><br></div><div>Aki</div><blockquote
type="cite"><div>On 30/04/2020 21:36 <a
href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>
<<a
href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>>
wrote:</div><div><br></div><div><br></div><div>Hello,</div><div><br></div><div>This
is a selfsigned cert. Both of the below methods were
used.</div><div><br></div><div>May I ask for 1.
pointer to info setting up "intermediate certs"
and</div><div>where the certfile
goes?</div><div><br></div><div>The objective is to
generate a self-signed cert and use it for just</div><div>internal
use with IMAPS
dovecot.</div><div><br></div><div>Separately, what
are your thoughts as to why evolution works
and</div><div>thunderbird does
not?</div><div><br></div><div>Thank
you,</div><div><br></div><div>==1</div><div><br></div><div>openssl
genrsa -out key.pem
2048</div><div><br></div><div>openssl req -new
-sha512 -key key.pem -out
csr.csr</div><div><br></div><div>openssl req -x509
-sha512 -days 365 -key key.pem -in csr.csr
-out</div><div>certificate.pem</div><div>openssl req -in
csr.csr -text -noout | grep -i "Signature.*SHA" &&
echo</div><div><br></div><div>==2</div><div>openssl
req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes
-keyout</div><div>mykey.key -out
mycert.pem</div><div><br></div><div><br></div><div>On
4/30/20 8:11 AM, Aki Tuomi wrote:</div><blockquote
type="cite"><blockquote type="cite"><div>On
30/04/2020 14:49 <a
href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>
<mailto:<a
href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>></div><div><<a
href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>
<mailto:<a
href="mailto:hanasaki@gmail.com">hanasaki@gmail.com</a>>>
wrote:</div></blockquote></blockquote><div>>></div><div>>>
Recently thunderbird and Dovecot IMAPS cannot agree on SSL
however</div><div>>> Evolution, on the exact same system, is
working fine with the same</div><div>>> accounts. Tried
recreating the Dovecot cert and also the
thunderbird</div><div>>> accounts from scratch. The OpenSSL
raw client works fine as
well.</div><div>>></div><div>>> Would
someone also confirm the openssl commands to create a
selfsigned</div><div>>> cert for dovecot imaps. They cert
created does work with evolution;</div><div>>> just not
thunderbird.</div><div>>></div><div>>>
Thoughts?</div><div>>></div><div>>> Apr 8
18:10:18 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()</div><div>>> failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3 alert bad</div><div>>>
certificate: SSL alert number 42</div><div>>> Apr 8 18:10:18
hh dovecot: imap-login: Disconnected (no auth attempts
in</div><div>>> 0 secs): user=<>, rip=000, lip=0000 TLS
handshaking: SSL_accept()</div><div>>> failed:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert
bad</div><div>>> certificate: SSL alert number 42,
session=<--></div><div>>> Apr 8 18:10:19 hh dovecot:
imap-login: Debug: SSL: where=0x10, ret=1:</div><div>>> before
SSL initialization</div><div>>> Apr 8 18:10:19 hh dovecot:
imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>>>
before SSL initialization</div><div>>> Apr 8 18:10:19 hh
dovecot: imap-login: Debug: SSL: where=0x2002,
ret=-1:</div><div>>> before SSL
initialization</div><div>>> Apr 8 18:10:19 hh dovecot:
imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>>>
before SSL initialization</div><div>>> Apr 8 18:10:19 hh
dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:</div><div>>> SSLv3/TLS read client
hello</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2001, ret=1:</div><div>>> SSLv3/TLS write
server hello</div><div>>> Apr 8 18:10:19 hh dovecot:
imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>>>
SSLv3/TLS write change cipher spec</div><div>>> Apr 8 18:10:19
hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:</div><div>>> TLSv1.3 write encrypted
extensions</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2001, ret=1:</div><div>>> SSLv3/TLS write
certificate</div><div>>> Apr 8 18:10:19 hh dovecot:
imap-login: Debug: SSL: where=0x2001, ret=1:</div><div>>>
TLSv1.3 write server certificate verify</div><div>>> Apr 8
18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:</div><div>>> SSLv3/TLS write
finished</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2001, ret=1:</div><div>>> TLSv1.3 early
data</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2002, ret=-1:</div><div>>> TLSv1.3 early
data</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2002, ret=-1:</div><div>>> TLSv1.3 early
data</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2002, ret=-1:</div><div>>> TLSv1.3 early
data</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL: where=0x2002, ret=-1:</div><div>>> TLSv1.3 early
data</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL alert: where=0x4004,</div><div>>> ret=554: fatal
bad certificate</div><div>>> Apr 8 18:10:19 hh dovecot:
imap-login: Debug: SSL: where=0x2002, ret=-1:</div><div>>>
error</div><div>>> Apr 8 18:10:19 hh dovecot: imap-login:
Debug: SSL error: SSL_accept()</div><div>>> failed:
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert
bad</div><div>>> certificate: SSL alert number
42</div><div>>> Apr 8 18:10:19 firewall dovecot: imap-login:
Disconnected (no auth</div><div>>> attempts in 0 secs):
user=<>, rip=000, lip=00, TLS handshaking:</div><div>>>
SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3</div><div>>> alert bad
certificate: SSL alert number 42,
session=<---></div><div>>></div><div>>>
reference</div><div>>> <a
href="http://forums.debian.net/viewtopic.php?f=5&t=145849"
rel="noopener"
target="_blank">http://forums.debian.net/viewtopic.php?f=5&t=145849</a></div><div>>>
<<a
href="http://forums.debian.net/viewtopic.php?f=5&t=145849"
rel="noopener"
target="_blank">http://forums.debian.net/viewtopic.php?f=5&t=145849</a>></div><blockquote
type="cite"><div>You are missing intermediate certs from your
certfile. Put them after</div><div>cert in order towards
root.</div><div><br></div><div>---</div><div>Aki
Tuomi</div></blockquote></blockquote><div><br></div><div
class="io-ox-signature"><pre>---
Aki Tuomi</pre></div></body></html>
 

For internal use I've installed the private CA cert on whatever clients 
I'm using (Thunderbird, browsers). That way you don't need to make 
exceptions every time a certificate changes.

Good luck,
Reio

On 30.04.2020 21:36, hanasaki at gmail.com wrote:
> Hello,
>
> This is a selfsigned cert.? Both of the below methods were used.
>
> May I ask for 1. pointer to info setting up "intermediate certs"
and
> where the certfile goes?
>
> The objective is to generate a self-signed cert and use it for just 
> internal use with IMAPS dovecot.
>
> Separately, what are your thoughts as to why evolution works and 
> thunderbird does not?
>
> Thank you,
>
> ==1
> openssl genrsa -out key.pem 2048
> openssl req -new -sha512 -key key.pem -out csr.csr
> openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out 
> certificate.pem
> openssl req -in csr.csr -text -noout | grep -i "Signature.*SHA"
&& echo
>
> ==2
> openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout 
> mykey.key -out mycert.pem
>
>
> On 4/30/20 8:11 AM, Aki Tuomi wrote:
>>
>>> On 30/04/2020 14:49 hanasaki at gmail.com <mailto:hanasaki at
gmail.com>
>>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com>>
wrote:
>>>
>>>
>>> Recently thunderbird and Dovecot IMAPS cannot agree on SSL however
>>> Evolution, on the exact same system, is working fine with the same
>>> accounts. Tried recreating the Dovecot cert and also the
thunderbird
>>> accounts from scratch. The OpenSSL raw client works fine as well.
>>>
>>> Would someone also confirm the openssl commands to create a
selfsigned
>>> cert for dovecot imaps. They cert created does work with evolution;
>>> just not thunderbird.
>>>
>>> Thoughts?
>>>
>>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()
>>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>>> certificate: SSL alert number 42
>>> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth 
>>> attempts in
>>> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking:
SSL_accept()
>>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>>> certificate: SSL alert number 42, session=<-->
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10,
ret=1:
>>> before SSL initialization
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> before SSL initialization
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> before SSL initialization
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> before SSL initialization
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> SSLv3/TLS read client hello
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> SSLv3/TLS write server hello
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> SSLv3/TLS write change cipher spec
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> TLSv1.3 write encrypted extensions
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> SSLv3/TLS write certificate
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> TLSv1.3 write server certificate verify
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> SSLv3/TLS write finished
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2001,
ret=1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> TLSv1.3 early data
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert:
where=0x4004,
>>> ret=554: fatal bad certificate
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x2002, 
>>> ret=-1:
>>> error
>>> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()
>>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>>> certificate: SSL alert number 42
>>> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no auth
>>> attempts in 0 secs): user=<>, rip=000, lip=00, TLS
handshaking:
>>> SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3
>>> alert bad certificate: SSL alert number 42, session=<--->
>>>
>>> reference
>>> http://forums.debian.net/viewtopic.php?f=5&t=145849 
>>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>
>>
>> You are missing intermediate certs from your certfile. Put them after 
>> cert in order towards root.
>>
>> ---
>> Aki Tuomi
>>

I would expect the public cert to be imported as a "server" not an
"auth"

The attached image shows that TBird wants an httpS url for a webserver, 
for the source.

Ages ago, I think it prompted for "do you want to trust this new cert"
and YES added it (assuming that is the public key) to the server list.? 
A bit confused by this.

<see attached thunderbird image>

On 4/30/20 2:41 PM, Aki Tuomi wrote:
> I see. You need to import the cert into thundebird's trusted ca certs.
>
> Aki
>> On 30/04/2020 21:36 hanasaki at gmail.com <mailto:hanasaki at
gmail.com>
>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com>>
wrote:
>>
>>
>> Hello,
>>
>> This is a selfsigned cert. Both of the below methods were used.
>>
>> May I ask for 1. pointer to info setting up "intermediate
certs" and
>> where the certfile goes?
>>
>> The objective is to generate a self-signed cert and use it for just
>> internal use with IMAPS dovecot.
>>
>> Separately, what are your thoughts as to why evolution works and
>> thunderbird does not?
>>
>> Thank you,
>>
>> ==1
>>
>> openssl genrsa -out key.pem 2048
>>
>> openssl req -new -sha512 -key key.pem -out csr.csr
>>
>> openssl req -x509 -sha512 -days 365 -key key.pem -in csr.csr -out
>> certificate.pem
>> openssl req -in csr.csr -text -noout | grep -i
"Signature.*SHA" && echo
>>
>> ==2
>> openssl req -newkey rsa:4096 -sha512 -x509 -days 365 -nodes -keyout
>> mykey.key -out mycert.pem
>>
>>
>> On 4/30/20 8:11 AM, Aki Tuomi wrote:
>>>> On 30/04/2020 14:49 hanasaki at gmail.com <mailto:hanasaki
at gmail.com>
>>>> <mailto:hanasaki at gmail.com <mailto:hanasaki at
gmail.com>>
>>>> <hanasaki at gmail.com <mailto:hanasaki at gmail.com> 
>>>> <mailto:hanasaki at gmail.com <mailto:hanasaki at
gmail.com>>> wrote:
>> >>
>> >> Recently thunderbird and Dovecot IMAPS cannot agree on SSL
however
>> >> Evolution, on the exact same system, is working fine with the
same
>> >> accounts. Tried recreating the Dovecot cert and also the
thunderbird
>> >> accounts from scratch. The OpenSSL raw client works fine as
well.
>> >>
>> >> Would someone also confirm the openssl commands to create a
selfsigned
>> >> cert for dovecot imaps. They cert created does work with
evolution;
>> >> just not thunderbird.
>> >>
>> >> Thoughts?
>> >>
>> >> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad
>> >> certificate: SSL alert number 42
>> >> Apr 8 18:10:18 hh dovecot: imap-login: Disconnected (no auth 
>> attempts in
>> >> 0 secs): user=<>, rip=000, lip=0000 TLS handshaking:
SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad
>> >> certificate: SSL alert number 42, session=<-->
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL: where=0x10,
ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> before SSL initialization
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS read client hello
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS write server hello
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS write change cipher spec
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> TLSv1.3 write encrypted extensions
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS write certificate
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> TLSv1.3 write server certificate verify
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> SSLv3/TLS write finished
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2001,
>> ret=1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> TLSv1.3 early data
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL alert:
where=0x4004,
>> >> ret=554: fatal bad certificate
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL:
where=0x2002,
>> ret=-1:
>> >> error
>> >> Apr 8 18:10:19 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()
>> >> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3
alert bad
>> >> certificate: SSL alert number 42
>> >> Apr 8 18:10:19 firewall dovecot: imap-login: Disconnected (no
auth
>> >> attempts in 0 secs): user=<>, rip=000, lip=00, TLS
handshaking:
>> >> SSL_accept() failed: error:14094412:SSL
routines:ssl3_read_bytes:sslv3
>> >> alert bad certificate: SSL alert number 42,
session=<--->
>> >>
>> >> reference
>> >> http://forums.debian.net/viewtopic.php?f=5&t=145849 
>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>
>> >> <http://forums.debian.net/viewtopic.php?f=5&t=145849 
>> <http://forums.debian.net/viewtopic.php?f=5&t=145849>>
>>> You are missing intermediate certs from your certfile. Put them
after
>>> cert in order towards root.
>>>
>>> ---
>>> Aki Tuomi
>
> ---
> Aki Tuomi
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pepknmbpelacdlkn.png
Type: image/png
Size: 45253 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hanasaki.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200430/d79c444a/attachment-0001.vcf>

On Thu, 30 Apr 2020, hanasaki at gmail.com wrote:
>>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()
>>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
>>> certificate: SSL alert number 42
According to this

 
https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s

this error comes about when you specify the client must authenticate with
their own certificate.  If your Dveocot setup is working with Evolution, have
you ported the client certificate to the Thunderbird setup?

Joseph Tam <jtam.home at gmail.com>

Evolution prompted to accept the cert; which I did.
Thunderbird used to prompt and allow acceptance; it no longer does... 
well sorta does.  See my other posting for a screenshot where it shows
"add server location https:// ...." HTTPS .  no way to add from SMTP. 
Have also tried typing smtp://host:25  and https://host:25

On 4/30/20 5:39 PM, Joseph Tam wrote:
> On Thu, 30 Apr 2020, hanasaki at gmail.com wrote:
> 
>>>> Apr 8 18:10:18 hh dovecot: imap-login: Debug: SSL error:
SSL_accept()
>>>> failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert
bad
>>>> certificate: SSL alert number 42
> 
> According to this
> 
> 
????https://serverfault.com/questions/806141/is-the-alert-ssl3-read-bytessslv3-alert-bad-certificate-indicating-that-the-s
> 
> this error comes about when you specify the client must authenticate with
> their own certificate.? If your Dveocot setup is working with Evolution, 
> have
> you ported the client certificate to the Thunderbird setup?
> 
> Joseph Tam <jtam.home at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hanasaki.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20200504/f4e5a3c9/attachment.vcf>