dovecot - Sep 2022 - Thunderbird can't connect to Dovecot (bad certificate: SSL alert number 42)

I just ran into something similar with the latest version of TB.
I updated our SSL cert for Dovecot but TB could not access my email over 
port 993.
I clicked on file then get new messages for all accounts. TB popped up a 
warning that the cert had an invalid/incorrect hostname and if I should 
allow the exception. I allowed the exception which worked and TB is fine 
now.
I only did this because my ssl cert is a wildcard for the domain but 
does not explicitly list the hostname.

Mark

On 9/14/2022 8:23 AM, Meikel wrote:
> Hello.
>
> Am 14.09.2022 um 13:59 schrieb Christian Mack:
>> Sound to me, as if Thunderbird does not know the CA used to (self) sign
>> that server certificate.
>
> Following the documentation at
>
>
https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
>
>
> I configured
>
> ssl_cert = </etc/letsencrypt/live/...../fullchain.pem
> ssl_key = </etc/letsencrypt/live/...../privkey.pem
>
> to my Let's Encrypt SSL certificates and did a restart of Dovecont and 
> at least for one installation of Thunderbird it seems to work again 
> now. For the other installations I need to check later at home, but 
> the problem seems to be resolved.
>
> Regards,
>
> Meikel

Hi,

I had the same issue on TB102. Self-Signed certificates rejected despite 
having the CA installed correctly as authority. Turns out out that that 
TB now wants extension "Subject Alt Names". Added that and all works 
now. Seems another Google pressed issue being introduced (my Chromium 
had same issues and rejected certs before I added SAN).

Thanks and regards

   Goetz R Schultz

---------------->8----------------
Quis custodiet ipsos custodes?
   /"\
   \ /  ASCII Ribbon Campaign
    X   against HTML e-mail
   / \
----------------8<----------------

On 14/09/2022 13:39, Mark Stevens wrote:
> I just ran into something similar with the latest version of TB.
> I updated our SSL cert for Dovecot but TB could not access my email over 
> port 993.
> I clicked on file then get new messages for all accounts. TB popped up a 
> warning that the cert had an invalid/incorrect hostname and if I should 
> allow the exception. I allowed the exception which worked and TB is fine 
> now.
> I only did this because my ssl cert is a wildcard for the domain but 
> does not explicitly list the hostname.
> 
> Mark
> 
> On 9/14/2022 8:23 AM, Meikel wrote:
>> Hello.
>>
>> Am 14.09.2022 um 13:59 schrieb Christian Mack:
>>> Sound to me, as if Thunderbird does not know the CA used to (self)
sign
>>> that server certificate.
>>
>> Following the documentation at
>>
>>
https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
>>
>>
>> I configured
>>
>> ssl_cert = </etc/letsencrypt/live/...../fullchain.pem
>> ssl_key = </etc/letsencrypt/live/...../privkey.pem
>>
>> to my Let's Encrypt SSL certificates and did a restart of Dovecont
and
>> at least for one installation of Thunderbird it seems to work again 
>> now. For the other installations I need to check later at home, but 
>> the problem seems to be resolved.
>>
>> Regards,
>>
>> Meikel
> 
---------------------------->8------------------------------

  /"\
  \ /  ASCII Ribbon Campaign
   X   against HTML e-mail
  / \ 

   This message is transmitted on 100% recycled electrons.

---------------------------->8------------------------------
Unsigned message - no responsibillity that content is not altered

> cert had an invalid/incorrect hostname 

fyi,

	https://kb.mozillazine.org/Files_and_folders_in_the_profile_-_Thunderbird
		...
		cert_override.txt
			This is an optional file used to store a security exception. It appears to
store the host name , thus preventing you from creating a security exception for
a rotating SMTP server.
		...

for ref,

	Firefox: How to audit & reset the list of trusted servers/CAs
	 https://access.redhat.com/solutions/1549043