Re: [openssl-users] alert number 46:
I installed letsencrypt and generated a certificate. Even with this certificate, I got the same error. The error went away when I changed the connection to "TLS" from "TLS (Accept All Certificates)". I wonder if the root problem was that the mail app on my phone won't accept newer certificates unless it can validate them fully? Simon On Sun, Nov 12, 2017 at 2:28 PM, Kyle Hamilton <aerow...@gmail.com> wrote: > Use a publicly-trusted certification authority, such as Let's Encrypt. > The problem is from the remote side (it's sending the alert that it > does not recognize your certificate issuer). > > -Kyle H > > On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews > <simon.d.matth...@gmail.com> wrote: >> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: >>> Hi, >>> >>> On 12/11/17 05:39, Simon Matthews wrote: >>>> >>>> I have generated a new certificate for my CentOS 6/postfix server, and >>>> it seems to work with most clients, but when I try to send email using >>>> tls from my Android device, it always fails. >>>> >>>> In my postfix log, I see: >>>> >>>> warning: TLS library problem: 13671:error:14094416:SSL >>>> routines:SSL3_READ_BYTES:sslv3 alert certificate >>>> unknown:s3_pkt.c:1275:SSL alert number 46: >>>> >>>> I get the same message when using the same new certificate with >>>> dovecot, so I don't think it is a postfix issue. >>>> >>>> To generate the certificate, I used the following commands: >>>> >>>> openssl genrsa -out MatthewsCA2017.key 2048 >>>> openssl genrsa -des3 -out MatthewsCA2017.key 2048 >>>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days >>>> 3000 -out MatthewsCA2017.pem >>>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048 >>>> openssl req -new -key smtp.matthews-family.org.uk.key -out >>>> smtp.matthews-family.org.uk.csr >>>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA >>>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out >>>> smtp.matthews-family.org.uk.crt -days 3000 -sha256 >>>> >>>> Any ideas on what might be wrong? >>>> >>> >>> you seem to have generated your own (new) CA and server certificate; is this >>> CA (public) cert installed in postfix correctly. More importantly, is this >>> new CA distributed to all devices? >>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN >> >> In my Android device, I am using the option "TLS (Accept all >> certificates)" which was working with my prior certificate. I built a >> new CA and certificate because Microsoft/Hotmail would not send email >> to my server because of the use of MD5 in the certificate chain. >> >> In the postfix main.cf, I have: >> smtpd_tls_CAfile = /etc/ssl/MatthewsCA2017.pem >> >> The file exists: >> # ls /etc/ssl/MatthewsCA2017.pem >> /etc/ssl/MatthewsCA2017.pem >> >> This is CentOS 6 VM. >> >> Is there anything else I should do to install the certificates? I >> notice that the dovecot configuration doesn't explicitly define the CA >> certificate location, so perhaps I have missed something? >> >> Simon >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Certificate expired on https://mta.openssl.org/
I am getting a certificate expired error on the above URL. Simon -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] alert number 46:
On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: > Hi, > > On 12/11/17 05:39, Simon Matthews wrote: >> >> I have generated a new certificate for my CentOS 6/postfix server, and >> it seems to work with most clients, but when I try to send email using >> tls from my Android device, it always fails. >> >> In my postfix log, I see: >> >> warning: TLS library problem: 13671:error:14094416:SSL >> routines:SSL3_READ_BYTES:sslv3 alert certificate >> unknown:s3_pkt.c:1275:SSL alert number 46: >> >> I get the same message when using the same new certificate with >> dovecot, so I don't think it is a postfix issue. >> >> To generate the certificate, I used the following commands: >> >> openssl genrsa -out MatthewsCA2017.key 2048 >> openssl genrsa -des3 -out MatthewsCA2017.key 2048 >> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days >> 3000 -out MatthewsCA2017.pem >> openssl genrsa -out smtp.matthews-family.org.uk.key 2048 >> openssl req -new -key smtp.matthews-family.org.uk.key -out >> smtp.matthews-family.org.uk.csr >> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA >> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out >> smtp.matthews-family.org.uk.crt -days 3000 -sha256 >> >> Any ideas on what might be wrong? >> > > you seem to have generated your own (new) CA and server certificate; is this > CA (public) cert installed in postfix correctly. More importantly, is this > new CA distributed to all devices? > An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN In my Android device, I am using the option "TLS (Accept all certificates)" which was working with my prior certificate. I built a new CA and certificate because Microsoft/Hotmail would not send email to my server because of the use of MD5 in the certificate chain. In the postfix main.cf, I have: smtpd_tls_CAfile = /etc/ssl/MatthewsCA2017.pem The file exists: # ls /etc/ssl/MatthewsCA2017.pem /etc/ssl/MatthewsCA2017.pem This is CentOS 6 VM. Is there anything else I should do to install the certificates? I notice that the dovecot configuration doesn't explicitly define the CA certificate location, so perhaps I have missed something? Simon -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] alert number 46:
I have generated a new certificate for my CentOS 6/postfix server, and it seems to work with most clients, but when I try to send email using tls from my Android device, it always fails. In my postfix log, I see: warning: TLS library problem: 13671:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1275:SSL alert number 46: I get the same message when using the same new certificate with dovecot, so I don't think it is a postfix issue. To generate the certificate, I used the following commands: openssl genrsa -out MatthewsCA2017.key 2048 openssl genrsa -des3 -out MatthewsCA2017.key 2048 openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days 3000 -out MatthewsCA2017.pem openssl genrsa -out smtp.matthews-family.org.uk.key 2048 openssl req -new -key smtp.matthews-family.org.uk.key -out smtp.matthews-family.org.uk.csr openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out smtp.matthews-family.org.uk.crt -days 3000 -sha256 Any ideas on what might be wrong? Simon -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users