Re: failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=

Thu, 19 Dec 2024 08:25:23 -0800 




On 19/12/2024 14:46, Marc via dovecot wrote:

What is the best way to get rid of this message? I think clients

start

generating after ssl crt update.

This usually means you forgot to use fullchain cert. This is

coming

from

clients telling you they don't like your certificate.


openssl s_client -connect xxxxxxxxx:143 -starttls imap

this returns
Verify return code: 0 (ok)

Should I test this differently?


Even if I check on the host directly
[@ certs]# openssl verify xxxxx.crt
/xxxx.crt: OK

Well, can't really say much since you're not really providing any
details.


I don't seem to get any more details with verbose_ssl=yes. How can I

see what cert/ssl-config this could be? I have still some old configs,
maybe some clients use that.

_______________________________________________


Why not just look at your ssl_cert parameter in 10-ssl.conf and then
inspect the file it points to. Does it have a single certificate or more
than one?

I already did. Always annoying having everything in one file, and checking what 
you need to change. Better is to have the chain separate so you only have to 
update the crt file. Like eg in apache httpd.

This behaviour is deprecated in apache.


What do you have? More than one certificate? It is safe to post the 
certificate file, just not the key.



Are you expecting to need a chain/intermediate certificate?

I am expecting nothing :) I am just removing config issues that produce error 
logs. Last few years clients are more picky about correct chains. As long as 
letsencrypt is doing most encryption, what is the point of doing encryption at 
all.

Let's Encrypt does not do encryption. It does SSL certificates. Other 
apps such as OpenSSL then use the LE certificate for encryption.



If you are using LE certs, have you checked file and folder permissions, 
especially of the keys?

Do you get any error or warning when you start dovecot?


It is a bit difficult as you are not really answering any questions with 
useful information.

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org






















					Reply via email to