hanasaki at gmail.com
2020-May-25 15:52 UTC
How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
s_client: Option unknown option -trace *** x509: Unknown parameter text On 5/25/20 11:49 AM, Aki Tuomi wrote:> Hi! > > Can you do > > openssl x509 text -noout </etc/letsencrypt/live/...../fullchain.pem > > and check these things: > > your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24 > > Also, can you provide output of > > openssl s_client -connect host:993 -trace > > Aki > >> On 25/05/2020 18:46 hanasaki at gmail.com <hanasaki at gmail.com> wrote: >> >> >> Hello Aki and all, >> >> The below lines are in the dovecot config file. This seems to be the >> same as Aki's suggestion. correct? I have also double checked file >> perms, tried with several new key gens, several versions of thunderbird >> and created completely new thunderbird profiles. >> >> Thank you, >> >> ssl_cert = </etc/letsencrypt/live/...../fullchain.pem >> ssl_key = </etc/letsencrypt/live/...../privkey.pem >> >> >> On 5/25/20 11:11 AM, Aki Tuomi wrote: >>> The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted. >>> >>> If you are using LE cert you should configure >>> >>> ssl_cert=</etc/letsencrypt/live/domain/fullchain.pem >>> ssl_key=</etc/letsencrypt/live/domain/privkey.pem >>> >>> Aki >>> >>>> On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: >>>> >>>> >>>> From the config : auth_ssl_require_client_cert = no >>>> GMail empty vcard ... I have no ideas . so sorry. >>>> >>>> Coding snippets. What can I provide for you that will help? >>>> NOTE: it is pretty much the default config from Debian. >>>> >>>> Thank you, >>>> >>>> On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wrote: >>>>> >>>>> On 2020-05-25 02:54, hanasaki at gmail.com wrote: >>>>>> Config has >>>>>> ssl_verify_client_cert = no >>>>>> What options might have the client auth turned on? >>>>> >>>>> why does gmail attacht empty vcard info ? >>>>> >>>>> without any config snippes its hard to say what config error is local >>>>> >>>>> https://wiki.dovecot.org/SSL/DovecotConfiguration >>>>> >>>>> is it auth_ssl_require_client_cert = yes >>>>> >>>>> i dont use this auth features to make thunderbird work-------------- next part -------------- A non-text attachment was scrubbed... Name: hanasaki.vcf Type: text/x-vcard Size: 4 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20200525/c32a86fc/attachment.vcf>
Aki Tuomi
2020-May-25 15:55 UTC
How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
Sorry... openssl x509 -text -noout -in /etc/letsencrypt/live/...../fullchain.pem and openssl s_client -connect host:993 Aki> On 25/05/2020 18:52 hanasaki at gmail.com <hanasaki at gmail.com> wrote: > > > s_client: Option unknown option -trace > *** > x509: Unknown parameter text > > > On 5/25/20 11:49 AM, Aki Tuomi wrote: > > Hi! > > > > Can you do > > > > openssl x509 text -noout </etc/letsencrypt/live/...../fullchain.pem > > > > and check these things: > > > > your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24 > > > > Also, can you provide output of > > > > openssl s_client -connect host:993 -trace > > > > Aki > > > >> On 25/05/2020 18:46 hanasaki at gmail.com <hanasaki at gmail.com> wrote: > >> > >> > >> Hello Aki and all, > >> > >> The below lines are in the dovecot config file. This seems to be the > >> same as Aki's suggestion. correct? I have also double checked file > >> perms, tried with several new key gens, several versions of thunderbird > >> and created completely new thunderbird profiles. > >> > >> Thank you, > >> > >> ssl_cert = </etc/letsencrypt/live/...../fullchain.pem > >> ssl_key = </etc/letsencrypt/live/...../privkey.pem > >> > >> > >> On 5/25/20 11:11 AM, Aki Tuomi wrote: > >>> The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted. > >>> > >>> If you are using LE cert you should configure > >>> > >>> ssl_cert=</etc/letsencrypt/live/domain/fullchain.pem > >>> ssl_key=</etc/letsencrypt/live/domain/privkey.pem > >>> > >>> Aki > >>> > >>>> On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: > >>>> > >>>> > >>>> From the config : auth_ssl_require_client_cert = no > >>>> GMail empty vcard ... I have no ideas . so sorry. > >>>> > >>>> Coding snippets. What can I provide for you that will help? > >>>> NOTE: it is pretty much the default config from Debian. > >>>> > >>>> Thank you, > >>>> > >>>> On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wrote: > >>>>> > >>>>> On 2020-05-25 02:54, hanasaki at gmail.com wrote: > >>>>>> Config has > >>>>>> ssl_verify_client_cert = no > >>>>>> What options might have the client auth turned on? > >>>>> > >>>>> why does gmail attacht empty vcard info ? > >>>>> > >>>>> without any config snippes its hard to say what config error is local > >>>>> > >>>>> https://wiki.dovecot.org/SSL/DovecotConfiguration > >>>>> > >>>>> is it auth_ssl_require_client_cert = yes > >>>>> > >>>>> i dont use this auth features to make thunderbird work
hanasaki at gmail.com
2020-May-27 02:22 UTC
How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
Inline below On 5/25/20 11:55 AM, Aki Tuomi wrote:> Sorry... > > openssl x509 -text -noout -in /etc/letsencrypt/live/...../fullchain.pemsubject=CN = fullHostnameWith.com on the end MUST-STAPLE <= not present nor 1.3.6....> > and > > openssl s_client -connect host:993SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 ... * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot (Debian) ready. ... subject=CN = fullHostnameWith.com on the end MUST-STAPLE <= not present nor 1.3.6....> > Aki > >> On 25/05/2020 18:52 hanasaki at gmail.com <hanasaki at gmail.com> wrote: >> >> >> s_client: Option unknown option -trace >> *** >> x509: Unknown parameter text >> >> >> On 5/25/20 11:49 AM, Aki Tuomi wrote: >>> Hi! >>> >>> Can you do >>> >>> openssl x509 text -noout </etc/letsencrypt/live/...../fullchain.pem >>> >>> and check these things: >>> >>> your server hostname isn included in SubjectAlternativeNames, and that the cert hasn't got MUST-STAPLE attribute? You can see this by looking for 1.3.6.1.5.5.7.1.24 >>> >>> Also, can you provide output of >>> >>> openssl s_client -connect host:993 -trace >>> >>> Aki >>> >>>> On 25/05/2020 18:46 hanasaki at gmail.com <hanasaki at gmail.com> wrote: >>>> >>>> >>>> Hello Aki and all, >>>> >>>> The below lines are in the dovecot config file. This seems to be the >>>> same as Aki's suggestion. correct? I have also double checked file >>>> perms, tried with several new key gens, several versions of thunderbird >>>> and created completely new thunderbird profiles. >>>> >>>> Thank you, >>>> >>>> ssl_cert = </etc/letsencrypt/live/...../fullchain.pem >>>> ssl_key = </etc/letsencrypt/live/...../privkey.pem >>>> >>>> >>>> On 5/25/20 11:11 AM, Aki Tuomi wrote: >>>>> The real reason is that you have misconfigured your cert. Alert 42 means that the *client* consider *server* client untrusted. >>>>> >>>>> If you are using LE cert you should configure >>>>> >>>>> ssl_cert=</etc/letsencrypt/live/domain/fullchain.pem >>>>> ssl_key=</etc/letsencrypt/live/domain/privkey.pem >>>>> >>>>> Aki >>>>> >>>>>> On 25/05/2020 18:01 Hanasaki Jiji <hanasaki at gmail.com> wrote: >>>>>> >>>>>> >>>>>> From the config : auth_ssl_require_client_cert = no >>>>>> GMail empty vcard ... I have no ideas . so sorry. >>>>>> >>>>>> Coding snippets. What can I provide for you that will help? >>>>>> NOTE: it is pretty much the default config from Debian. >>>>>> >>>>>> Thank you, >>>>>> >>>>>> On Sun, May 24, 2020 at 9:29 PM Benny Pedersen <me at junc.eu> wrote: >>>>>>> >>>>>>> On 2020-05-25 02:54, hanasaki at gmail.com wrote: >>>>>>>> Config has >>>>>>>> ssl_verify_client_cert = no >>>>>>>> What options might have the client auth turned on? >>>>>>> >>>>>>> why does gmail attacht empty vcard info ? >>>>>>> >>>>>>> without any config snippes its hard to say what config error is local >>>>>>> >>>>>>> https://wiki.dovecot.org/SSL/DovecotConfiguration >>>>>>> >>>>>>> is it auth_ssl_require_client_cert = yes >>>>>>> >>>>>>> i dont use this auth features to make thunderbird work-------------- next part -------------- A non-text attachment was scrubbed... Name: hanasaki.vcf Type: text/x-vcard Size: 4 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20200526/6f53c6c8/attachment.vcf>
Seemingly Similar Threads
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird
- How to make IMAPS SSL Cert for Dovecot that works with Thunderbird