RE: Let's Encrypt certificates

2018-04-18 Thread Matt Graham 

On 2018-04-17 15:46, Carruth, Rusty wrote:

Actually, I was really hoping for answers, because I'm not using
certs yet and know I've got to fix that.
Is Let's Encrypt good, other than your current issues?


IME, Let's Encrypt works very well.  I'm just using it in a basic way 
though.  There are many clients (probably too many) that will update 
your certificates automatically, provided that you have some sort of web 
server that can serve files out of a specific directory.  I went with 
https://github.com/Neilpang/acme.sh because it doesn't depend on 15 sets 
of libraries and languages like so many of the other clients--just bash, 
openssl, and curl or wget.


Wildcard certs would be really useful in some contexts.  Updating TXT 
records could be annoying or impossible if you don't run your own DNS 
server for whatever domain you're getting the cert for.


--
Crow202 Blog: http://crow202.org/wordpress
There is no Darkness in Eternity
But only Light too dim for us to see.
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

RE: Let's Encrypt certificates

2018-04-17 Thread Carruth, Rusty 
Actually, I was really hoping for answers, because I'm not using certs yet and 
know I've got to fix that.

Is Let's Encrypt good, other than your current issues?

Any place that's free and good (or cheap and perfect)?



Rusty Carruth | Customer Support | rusty.carr...@smarth.com | 
http://www.smarth.com

     See the new M4

See us on Storage Search    http://www.storagesearch.com/smart2.html

510-624-5391   | Fax: 480-926-5579   | 1325 N. Fiesta Blvd.  Suite 101 Gilbert, 
Az. 85233

This email message (and any attachments) is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information. Any 
unauthorized review, use, disclosure or distribution is prohibited. If you are 
not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.


-Original Message-
From: PLUG-discuss [mailto:plug-discuss-boun...@lists.phxlinux.org] On Behalf 
Of Matt Birkholz
Sent: Thursday, April 12, 2018 11:27 AM
To: plu...@codezilla.xyz; Main PLUG discussion list
Subject: Re: Let's Encrypt certificates

Hi Nathan,

Did you get any help with this, or figure it out yourself by now?

I have been doing similar things on a CoxBusiness static IP for years,
so maybe I can help.  (Also Mike's latest silliness makes me wish for
more erudite discussions on PLUG.  Smart questions going unanswered
only makes it worse? :-)

I included a couple quick "reactions" to your email (below) but maybe
this is moot now, a week on.

-Matt

On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:
> Hey all,
> 
> I use Let's Encrypt on my web server, and I use the same certificate for 
> my postfix and dovecot services. Today I realized that my phone has not 
> alerted me to new messages. I logged into my webmail via Firefix (I 
> don't usually log into webmail until my phone says I have mail) and sure 
> enough, I had quite a bit of mail, so I opened my BlueMail app and it 
> will not connect because my certificate cannot be verified.
> 
> Firefox works fine on webmail.
> Chrome works fine on webmail.
> Postfix, Apache, and Dovecot all operate correctly without warnings.
> 
> Bluemail, Thunderbird, and Kmail all fail to connect because the 
> certificate cannot be verified.

You did not attach the intermediate certificates?

> I had to accept the certificate to use it on my phone. Has Let's Encrypt 
> changed something? Or what? I don't get any errors on my server, dovecot 
> reports a username of <> during the initial handshake, which I think is 
> normal, then reports an error only when my phone attempts to connect 
> which looks like:
> 
> 
> Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected 
> (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, 
> lip=138.197.192.135, TLS handshaking: SSL_accept() failed: 
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
> unknown: SSL alert number 46, session=
> 
> Best I can tell this is a failure on my server's attempt to verify my 
> phone's certificate?

Your phone has an IMAP client certificate?  I missed that part.

The error message actually looks like mine when certificates do not
validate and clients do not attempt to log in.

> Any help would be appreciated.
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Let's Encrypt certificates

2018-04-17 Thread Nathan O'Brennan 


Other than my current issue, which is only on my phone, I use Roundcube 
for webmail, Let's Encrypt is excellent. I recommend it to everyone.









On 2018-04-17 15:46, Carruth, Rusty wrote:

Actually, I was really hoping for answers, because I'm not using certs
yet and know I've got to fix that.

Is Let's Encrypt good, other than your current issues?

Any place that's free and good (or cheap and perfect)?



Rusty Carruth | Customer Support | rusty.carr...@smarth.com |
http://www.smarth.com

     See the new M4

See us on Storage Search    http://www.storagesearch.com/smart2.html

510-624-5391   | Fax: 480-926-5579   | 1325 N. Fiesta Blvd.  Suite 101
Gilbert, Az. 85233

This email message (and any attachments) is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original
message.


-Original Message-
From: PLUG-discuss [mailto:plug-discuss-boun...@lists.phxlinux.org] On
Behalf Of Matt Birkholz
Sent: Thursday, April 12, 2018 11:27 AM
To: plu...@codezilla.xyz; Main PLUG discussion list
Subject: Re: Let's Encrypt certificates

Hi Nathan,

Did you get any help with this, or figure it out yourself by now?

I have been doing similar things on a CoxBusiness static IP for years,
so maybe I can help.  (Also Mike's latest silliness makes me wish for
more erudite discussions on PLUG.  Smart questions going unanswered
only makes it worse? :-)

I included a couple quick "reactions" to your email (below) but maybe
this is moot now, a week on.

-Matt

On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:

Hey all,

I use Let's Encrypt on my web server, and I use the same certificate 
for
my postfix and dovecot services. Today I realized that my phone has 
not

alerted me to new messages. I logged into my webmail via Firefix (I
don't usually log into webmail until my phone says I have mail) and 
sure

enough, I had quite a bit of mail, so I opened my BlueMail app and it
will not connect because my certificate cannot be verified.

Firefox works fine on webmail.
Chrome works fine on webmail.
Postfix, Apache, and Dovecot all operate correctly without warnings.

Bluemail, Thunderbird, and Kmail all fail to connect because the
certificate cannot be verified.


You did not attach the intermediate certificates?

I had to accept the certificate to use it on my phone. Has Let's 
Encrypt
changed something? Or what? I don't get any errors on my server, 
dovecot
reports a username of <> during the initial handshake, which I think 
is

normal, then reports an error only when my phone attempts to connect
which looks like:


Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected
(no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162,
lip=138.197.192.135, TLS handshaking: SSL_accept() failed:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown: SSL alert number 46, session=

Best I can tell this is a failure on my server's attempt to verify my
phone's certificate?


Your phone has an IMAP client certificate?  I missed that part.

The error message actually looks like mine when certificates do not
validate and clients do not attempt to log in.


Any help would be appreciated.
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss


0x241A8881.asc
Description: application/pgp-keys
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Let's Encrypt certificates

2018-04-16 Thread Nathan O'Brennan 
-- Sorry as wrong identity and I expect the other to fail, I apologize
if you get this twice. 

Thanks Stephen, this seems to be about the right time, but I think my
problems started before this.  

I have not tried combining the primary chain with the intermediate chain
and then making Dovecot use that. I think that is my next step. I just
haven't had time to mess with it further since making my phone accept
the cert was an easy fix so I could get back to work. 

On 2018-04-13 15:44, Stephen Partington wrote:

> https://www.ssllabs.com/ssltest/analyze.html?d=codezilla.xyz 
> 
> So it looks great. 
> 
> This does look like a feature change was recently done. 
> https://letsencrypt.org/2018/04/04/sct-encoding.html 
> 
> On Fri, Apr 13, 2018 at 3:03 PM, Stephen Partington  
> wrote:
> 
> Sorry, I lost this off my radar. 
> 
> https://letsencrypt.org/docs/integration-guide/ [1] has some interesting 
> information. Have you tested your ssl? 
> 
> On Fri, Apr 13, 2018 at 2:47 PM, Nathan O'Brennan  
> wrote:
> On 2018-04-12 11:27, Matt Birkholz wrote:
> Hi Nathan,
> 
> Did you get any help with this, or figure it out yourself by now? No, to be 
> honest I haven't seen a single response, but I have also not seen any email 
> come in since I sent it, so I kind of thought maybe my certificate was messed 
> up somehow else.
> 
> I ended up having my phone accept the certificate so I could check my mail, 
> but I never did resolve it. It works correctly everywhere, and on my phone as 
> long as it does not try to verify, so I left it alone. 
> 
> I have been doing similar things on a CoxBusiness static IP for years,
> so maybe I can help.  (Also Mike's latest silliness makes me wish for
> more erudite discussions on PLUG.  Smart questions going unanswered
> only makes it worse? :-)
> 
> I included a couple quick "reactions" to your email (below) but maybe
> this is moot now, a week on.
> 
> -Matt
> 
> On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:
> Hey all,
> 
> I use Let's Encrypt on my web server, and I use the same certificate for
> my postfix and dovecot services. Today I realized that my phone has not
> alerted me to new messages. I logged into my webmail via Firefix (I
> don't usually log into webmail until my phone says I have mail) and sure
> enough, I had quite a bit of mail, so I opened my BlueMail app and it
> will not connect because my certificate cannot be verified.
> 
> Firefox works fine on webmail.
> Chrome works fine on webmail.
> Postfix, Apache, and Dovecot all operate correctly without warnings.
> 
> Bluemail, Thunderbird, and Kmail all fail to connect because the
> certificate cannot be verified. 
> You did not attach the intermediate certificates?
> 
> I had to accept the certificate to use it on my phone. Has Let's Encrypt
> changed something? Or what? I don't get any errors on my server, dovecot
> reports a username of <> during the initial handshake, which I think is
> normal, then reports an error only when my phone attempts to connect
> which looks like:
> 
> Apr 05 20:26:23 codezilla.xyz [2] dovecot[1699]: imap-login: Disconnected
> (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162,
> lip=138.197.192.135, TLS handshaking: SSL_accept() failed:
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
> unknown: SSL alert number 46, session=
> 
> Best I can tell this is a failure on my server's attempt to verify my
> phone's certificate? 
> Your phone has an IMAP client certificate?  I missed that part.
> 
> The error message actually looks like mine when certificates do not
> validate and clients do not attempt to log in.
> 
> Any help would be appreciated.
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [3]

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss [3] 

  -- 

A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen

  -- 
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss 

 

Links:
--
[1] https://letsencrypt.org/docs/integration-guide/
[2] http://codezilla.xyz
[3] http://lists.phxlinux.org/mailman/listinfo/plug-discuss

0x241A8881.asc
Description: application/pgp-keys
---

Re: Let's Encrypt certificates

2018-04-15 Thread Matt Birkholz 
On Fri, 2018-04-13 at 14:47 -0700, Nathan O'Brennan wrote:
> On 2018-04-12 11:27, Matt Birkholz wrote:
> > Hi Nathan,
> > 
> > Did you get any help with this, or figure it out yourself by now?
> 
> No, to be honest I haven't seen a single response, but I have also not 
> seen any email come in since I sent it, so I kind of thought maybe my 
> certificate was messed up somehow else.

I think it is just hard to answer you without googling first, which
invites distraction.

> I ended up having my phone accept the certificate [...]

I have the same problem: insufficient curiosity to uninstall the
permanent exceptions (or did you actually turn validation OFF?).  But
maybe another lurker will be forewarned and win AND tell us all about
it.

> > > [...]
> > > Firefox works fine on webmail.
> > > Chrome works fine on webmail.
> > > Postfix, Apache, and Dovecot all operate correctly without warnings.
> > > 
> > > Bluemail, Thunderbird, and Kmail all fail to connect because the
> > > certificate cannot be verified.
> > 
> > You did not attach the intermediate certificates?

I suggested missing intermediates because some clients may be willing
to pursue "additional downloads" to validate a cert, while others may
balk at incomplete chains.

I had not included Gandi's with my Gandi cert and then went down the
garden path of trying to add the intermediates as roots.  It was not
until I took SSLLabs quality test that I twigged to the importance of
including the necessary intermediate certs.  (Kudos on the SSL Labs
suggestion, Stephen.)  Now the Gandi cert (complete chain) works as
expected, without exceptional handling, in Firefox 59 and (I hope)
Everywhere.

I pursued this minion of Chaos a bit further this morning, irritated
that I cannot trust my own self-signed cert, even though I had
installed it in /usr/local/share/ca-certificates/ and ran `sudo update-
ca-certificates` AND saw that a key was added (to /etc/ssl/certs/ I
guess).

Yet I only got Firefox 59 to shut the bleep up after explicitly
importing my (Easy-RSA CA) cert in Preferences > Privacy & Security >
View Certificates... > Authorities > Import...  AND I had to create the
server cert with the INexact, all-too-Common-Name core.birchwood-
abbey.net (NOT the absolute core.birchwood-abbey.net.) AND I had to use
the same name in my CA's DB (i.e. on the ./build-key-server
commandline).

Kudos to anyone who can tell me how Firefox knew I had used the name
core25 on the commandline (my twenty-sixth attempt [a tiny
exaggeration]), why I do not see "core25" anywhere in `openssl x509
-text`, and especially how to get the Vile Offspring to document
anything.

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Let's Encrypt certificates

2018-04-13 Thread Stephen Partington 
https://www.ssllabs.com/ssltest/analyze.html?d=codezilla.xyz

So it looks great.

This does look like a feature change was recently done.
https://letsencrypt.org/2018/04/04/sct-encoding.html


On Fri, Apr 13, 2018 at 3:03 PM, Stephen Partington 
wrote:

> Sorry, I lost this off my radar.
>
> https://letsencrypt.org/docs/integration-guide/ has some interesting
> information. Have you tested your ssl?
>
> On Fri, Apr 13, 2018 at 2:47 PM, Nathan O'Brennan 
> wrote:
>
>> On 2018-04-12 11:27, Matt Birkholz wrote:
>>
>>> Hi Nathan,
>>>
>>> Did you get any help with this, or figure it out yourself by now?
>>>
>>
>> No, to be honest I haven't seen a single response, but I have also not
>> seen any email come in since I sent it, so I kind of thought maybe my
>> certificate was messed up somehow else.
>>
>> I ended up having my phone accept the certificate so I could check my
>> mail, but I never did resolve it. It works correctly everywhere, and on my
>> phone as long as it does not try to verify, so I left it alone.
>>
>>
>>
>>
>>> I have been doing similar things on a CoxBusiness static IP for years,
>>> so maybe I can help.  (Also Mike's latest silliness makes me wish for
>>> more erudite discussions on PLUG.  Smart questions going unanswered
>>> only makes it worse? :-)
>>>
>>> I included a couple quick "reactions" to your email (below) but maybe
>>> this is moot now, a week on.
>>>
>>> -Matt
>>>
>>> On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:
>>>
 Hey all,

 I use Let's Encrypt on my web server, and I use the same certificate for
 my postfix and dovecot services. Today I realized that my phone has not
 alerted me to new messages. I logged into my webmail via Firefix (I
 don't usually log into webmail until my phone says I have mail) and sure
 enough, I had quite a bit of mail, so I opened my BlueMail app and it
 will not connect because my certificate cannot be verified.

 Firefox works fine on webmail.
 Chrome works fine on webmail.
 Postfix, Apache, and Dovecot all operate correctly without warnings.

 Bluemail, Thunderbird, and Kmail all fail to connect because the
 certificate cannot be verified.

>>>
>>> You did not attach the intermediate certificates?
>>>
>>> I had to accept the certificate to use it on my phone. Has Let's Encrypt
 changed something? Or what? I don't get any errors on my server, dovecot
 reports a username of <> during the initial handshake, which I think is
 normal, then reports an error only when my phone attempts to connect
 which looks like:


 Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected
 (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162,
 lip=138.197.192.135, TLS handshaking: SSL_accept() failed:
 error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
 unknown: SSL alert number 46, session=

 Best I can tell this is a failure on my server's attempt to verify my
 phone's certificate?

>>>
>>> Your phone has an IMAP client certificate?  I missed that part.
>>>
>>> The error message actually looks like mine when certificates do not
>>> validate and clients do not attempt to log in.
>>>
>>> Any help would be appreciated.
 ---
 PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
 To subscribe, unsubscribe, or to change your mail settings:
 http://lists.phxlinux.org/mailman/listinfo/plug-discuss

>>>
>> ---
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> A mouse trap, placed on top of your alarm clock, will prevent you from
> rolling over and going back to sleep after you hit the snooze button.
>
> Stephen
>
>


-- 
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Let's Encrypt certificates

2018-04-13 Thread Stephen Partington 
Sorry, I lost this off my radar.

https://letsencrypt.org/docs/integration-guide/ has some interesting
information. Have you tested your ssl?

On Fri, Apr 13, 2018 at 2:47 PM, Nathan O'Brennan 
wrote:

> On 2018-04-12 11:27, Matt Birkholz wrote:
>
>> Hi Nathan,
>>
>> Did you get any help with this, or figure it out yourself by now?
>>
>
> No, to be honest I haven't seen a single response, but I have also not
> seen any email come in since I sent it, so I kind of thought maybe my
> certificate was messed up somehow else.
>
> I ended up having my phone accept the certificate so I could check my
> mail, but I never did resolve it. It works correctly everywhere, and on my
> phone as long as it does not try to verify, so I left it alone.
>
>
>
>
>> I have been doing similar things on a CoxBusiness static IP for years,
>> so maybe I can help.  (Also Mike's latest silliness makes me wish for
>> more erudite discussions on PLUG.  Smart questions going unanswered
>> only makes it worse? :-)
>>
>> I included a couple quick "reactions" to your email (below) but maybe
>> this is moot now, a week on.
>>
>> -Matt
>>
>> On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:
>>
>>> Hey all,
>>>
>>> I use Let's Encrypt on my web server, and I use the same certificate for
>>> my postfix and dovecot services. Today I realized that my phone has not
>>> alerted me to new messages. I logged into my webmail via Firefix (I
>>> don't usually log into webmail until my phone says I have mail) and sure
>>> enough, I had quite a bit of mail, so I opened my BlueMail app and it
>>> will not connect because my certificate cannot be verified.
>>>
>>> Firefox works fine on webmail.
>>> Chrome works fine on webmail.
>>> Postfix, Apache, and Dovecot all operate correctly without warnings.
>>>
>>> Bluemail, Thunderbird, and Kmail all fail to connect because the
>>> certificate cannot be verified.
>>>
>>
>> You did not attach the intermediate certificates?
>>
>> I had to accept the certificate to use it on my phone. Has Let's Encrypt
>>> changed something? Or what? I don't get any errors on my server, dovecot
>>> reports a username of <> during the initial handshake, which I think is
>>> normal, then reports an error only when my phone attempts to connect
>>> which looks like:
>>>
>>>
>>> Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected
>>> (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162,
>>> lip=138.197.192.135, TLS handshaking: SSL_accept() failed:
>>> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
>>> unknown: SSL alert number 46, session=
>>>
>>> Best I can tell this is a failure on my server's attempt to verify my
>>> phone's certificate?
>>>
>>
>> Your phone has an IMAP client certificate?  I missed that part.
>>
>> The error message actually looks like mine when certificates do not
>> validate and clients do not attempt to log in.
>>
>> Any help would be appreciated.
>>> ---
>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>



-- 
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Let's Encrypt certificates

2018-04-13 Thread Nathan O'Brennan 

On 2018-04-12 11:27, Matt Birkholz wrote:

Hi Nathan,

Did you get any help with this, or figure it out yourself by now?


No, to be honest I haven't seen a single response, but I have also not 
seen any email come in since I sent it, so I kind of thought maybe my 
certificate was messed up somehow else.


I ended up having my phone accept the certificate so I could check my 
mail, but I never did resolve it. It works correctly everywhere, and on 
my phone as long as it does not try to verify, so I left it alone.





I have been doing similar things on a CoxBusiness static IP for years,
so maybe I can help.  (Also Mike's latest silliness makes me wish for
more erudite discussions on PLUG.  Smart questions going unanswered
only makes it worse? :-)

I included a couple quick "reactions" to your email (below) but maybe
this is moot now, a week on.

-Matt

On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:

Hey all,

I use Let's Encrypt on my web server, and I use the same certificate 
for
my postfix and dovecot services. Today I realized that my phone has 
not

alerted me to new messages. I logged into my webmail via Firefix (I
don't usually log into webmail until my phone says I have mail) and 
sure

enough, I had quite a bit of mail, so I opened my BlueMail app and it
will not connect because my certificate cannot be verified.

Firefox works fine on webmail.
Chrome works fine on webmail.
Postfix, Apache, and Dovecot all operate correctly without warnings.

Bluemail, Thunderbird, and Kmail all fail to connect because the
certificate cannot be verified.


You did not attach the intermediate certificates?

I had to accept the certificate to use it on my phone. Has Let's 
Encrypt
changed something? Or what? I don't get any errors on my server, 
dovecot
reports a username of <> during the initial handshake, which I think 
is

normal, then reports an error only when my phone attempts to connect
which looks like:


Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected
(no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162,
lip=138.197.192.135, TLS handshaking: SSL_accept() failed:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown: SSL alert number 46, session=

Best I can tell this is a failure on my server's attempt to verify my
phone's certificate?


Your phone has an IMAP client certificate?  I missed that part.

The error message actually looks like mine when certificates do not
validate and clients do not attempt to log in.


Any help would be appreciated.
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss


0x241A8881.asc
Description: application/pgp-keys
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Let's Encrypt certificates

2018-04-12 Thread Matt Birkholz 
Hi Nathan,

Did you get any help with this, or figure it out yourself by now?

I have been doing similar things on a CoxBusiness static IP for years,
so maybe I can help.  (Also Mike's latest silliness makes me wish for
more erudite discussions on PLUG.  Smart questions going unanswered
only makes it worse? :-)

I included a couple quick "reactions" to your email (below) but maybe
this is moot now, a week on.

-Matt

On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:
> Hey all,
> 
> I use Let's Encrypt on my web server, and I use the same certificate for 
> my postfix and dovecot services. Today I realized that my phone has not 
> alerted me to new messages. I logged into my webmail via Firefix (I 
> don't usually log into webmail until my phone says I have mail) and sure 
> enough, I had quite a bit of mail, so I opened my BlueMail app and it 
> will not connect because my certificate cannot be verified.
> 
> Firefox works fine on webmail.
> Chrome works fine on webmail.
> Postfix, Apache, and Dovecot all operate correctly without warnings.
> 
> Bluemail, Thunderbird, and Kmail all fail to connect because the 
> certificate cannot be verified.

You did not attach the intermediate certificates?

> I had to accept the certificate to use it on my phone. Has Let's Encrypt 
> changed something? Or what? I don't get any errors on my server, dovecot 
> reports a username of <> during the initial handshake, which I think is 
> normal, then reports an error only when my phone attempts to connect 
> which looks like:
> 
> 
> Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected 
> (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, 
> lip=138.197.192.135, TLS handshaking: SSL_accept() failed: 
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
> unknown: SSL alert number 46, session=
> 
> Best I can tell this is a failure on my server's attempt to verify my 
> phone's certificate?

Your phone has an IMAP client certificate?  I missed that part.

The error message actually looks like mine when certificates do not
validate and clients do not attempt to log in.

> Any help would be appreciated.
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

Let's Encrypt certificates

2018-04-05 Thread Nathan O'Brennan 


Hey all,

I use Let's Encrypt on my web server, and I use the same certificate for 
my postfix and dovecot services. Today I realized that my phone has not 
alerted me to new messages. I logged into my webmail via Firefix (I 
don't usually log into webmail until my phone says I have mail) and sure 
enough, I had quite a bit of mail, so I opened my BlueMail app and it 
will not connect because my certificate cannot be verified.


Firefox works fine on webmail.
Chrome works fine on webmail.
Postfix, Apache, and Dovecot all operate correctly without warnings.

Bluemail, Thunderbird, and Kmail all fail to connect because the 
certificate cannot be verified.


I had to accept the certificate to use it on my phone. Has Let's Encrypt 
changed something? Or what? I don't get any errors on my server, dovecot 
reports a username of <> during the initial handshake, which I think is 
normal, then reports an error only when my phone attempts to connect 
which looks like:



Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected 
(no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, 
lip=138.197.192.135, TLS handshaking: SSL_accept() failed: 
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
unknown: SSL alert number 46, session=


Best I can tell this is a failure on my server's attempt to verify my 
phone's certificate?


Any help would be appreciated.
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss