> On 12/04/2021 17:13 Christopher Wensink <cwensink at
five-star-plastics.com> wrote:
> 
>  
> Dovecot Team,
> 
> I need a little help.? I came in this morning and it seems like the SSL 
> Certificates expired for dovecot (on an internal mail server) and nobody 
> can move email into? their folders on this server.? In Thunderbird they 
> just see in the status bar:? HISTORY: checking mail server capabilities...
> 
> In /var/log/maillog:
> --------
> Apr 12 09:02:26 mario2 dovecot: imap-login: Disconnected (no auth 
> attempts in 0 secs): user=<>, rip=10.5.1.85, lip=10.5.1.17, TLS: 
> SSL_read() failed: error:14094412:SSL routines:ssl3_read_bytes:sslv3 
> alert bad certificate: SSL alert number 42,
session=<H5iu9sa/Me0KBQFV>
> 
> I have tried:
> 
> -Restarting Dovecot
> -Restarting the whole mail server
> -Re-creating the .pem files, first moving the old files in 
> /etc/pki/dovecot/certs and /etc/pki/dovecot/private from dovecot.pem to 
> dovecot-old.pem,
>  ? - Re-creating a new dovecot.pem using the mkcert.sh script in the doc 
> folder in /usr/share/doc/dovecot-2.2.36/,
>  ? - restarting dovecot
>  ? - changing the cert values in dovecot-openssl.cnf
> 
> I also tried creating new .crt and key files using this tutorial: 
>
https://msol.io/blog/tech/create-a-self-signed-ssl-certificate-with-openssl/
> 
> 
> I need some assistance, thank you for your help.
> 
> Chris
Please use real certs if possible. Otherwise you need to install the used CA
certificate, or the self-signed certificate, to all the clients. Or reset the
exception there, and then tell all your users to redo the exception. Using real
certs is easier.
Aki