RE: Let's Encrypt certificates
On 2018-04-17 15:46, Carruth, Rusty wrote: Actually, I was really hoping for answers, because I'm not using certs yet and know I've got to fix that. Is Let's Encrypt good, other than your current issues? IME, Let's Encrypt works very well. I'm just using it in a basic way though. There are many clients (probably too many) that will update your certificates automatically, provided that you have some sort of web server that can serve files out of a specific directory. I went with https://github.com/Neilpang/acme.sh because it doesn't depend on 15 sets of libraries and languages like so many of the other clients--just bash, openssl, and curl or wget. Wildcard certs would be really useful in some contexts. Updating TXT records could be annoying or impossible if you don't run your own DNS server for whatever domain you're getting the cert for. -- Crow202 Blog: http://crow202.org/wordpress There is no Darkness in Eternity But only Light too dim for us to see. --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
RE: Let's Encrypt certificates
Actually, I was really hoping for answers, because I'm not using certs yet and know I've got to fix that. Is Let's Encrypt good, other than your current issues? Any place that's free and good (or cheap and perfect)? Rusty Carruth | Customer Support | rusty.carr...@smarth.com | http://www.smarth.com See the new M4 See us on Storage Search http://www.storagesearch.com/smart2.html 510-624-5391 | Fax: 480-926-5579 | 1325 N. Fiesta Blvd. Suite 101 Gilbert, Az. 85233 This email message (and any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -Original Message- From: PLUG-discuss [mailto:plug-discuss-boun...@lists.phxlinux.org] On Behalf Of Matt Birkholz Sent: Thursday, April 12, 2018 11:27 AM To: plu...@codezilla.xyz; Main PLUG discussion list Subject: Re: Let's Encrypt certificates Hi Nathan, Did you get any help with this, or figure it out yourself by now? I have been doing similar things on a CoxBusiness static IP for years, so maybe I can help. (Also Mike's latest silliness makes me wish for more erudite discussions on PLUG. Smart questions going unanswered only makes it worse? :-) I included a couple quick "reactions" to your email (below) but maybe this is moot now, a week on. -Matt On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote: > Hey all, > > I use Let's Encrypt on my web server, and I use the same certificate for > my postfix and dovecot services. Today I realized that my phone has not > alerted me to new messages. I logged into my webmail via Firefix (I > don't usually log into webmail until my phone says I have mail) and sure > enough, I had quite a bit of mail, so I opened my BlueMail app and it > will not connect because my certificate cannot be verified. > > Firefox works fine on webmail. > Chrome works fine on webmail. > Postfix, Apache, and Dovecot all operate correctly without warnings. > > Bluemail, Thunderbird, and Kmail all fail to connect because the > certificate cannot be verified. You did not attach the intermediate certificates? > I had to accept the certificate to use it on my phone. Has Let's Encrypt > changed something? Or what? I don't get any errors on my server, dovecot > reports a username of <> during the initial handshake, which I think is > normal, then reports an error only when my phone attempts to connect > which looks like: > > > Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected > (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, > lip=138.197.192.135, TLS handshaking: SSL_accept() failed: > error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate > unknown: SSL alert number 46, session= > > Best I can tell this is a failure on my server's attempt to verify my > phone's certificate? Your phone has an IMAP client certificate? I missed that part. The error message actually looks like mine when certificates do not validate and clients do not attempt to log in. > Any help would be appreciated. > --- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
Re: Let's Encrypt certificates
Other than my current issue, which is only on my phone, I use Roundcube for webmail, Let's Encrypt is excellent. I recommend it to everyone. On 2018-04-17 15:46, Carruth, Rusty wrote: Actually, I was really hoping for answers, because I'm not using certs yet and know I've got to fix that. Is Let's Encrypt good, other than your current issues? Any place that's free and good (or cheap and perfect)? Rusty Carruth | Customer Support | rusty.carr...@smarth.com | http://www.smarth.com See the new M4 See us on Storage Search http://www.storagesearch.com/smart2.html 510-624-5391 | Fax: 480-926-5579 | 1325 N. Fiesta Blvd. Suite 101 Gilbert, Az. 85233 This email message (and any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -Original Message- From: PLUG-discuss [mailto:plug-discuss-boun...@lists.phxlinux.org] On Behalf Of Matt Birkholz Sent: Thursday, April 12, 2018 11:27 AM To: plu...@codezilla.xyz; Main PLUG discussion list Subject: Re: Let's Encrypt certificates Hi Nathan, Did you get any help with this, or figure it out yourself by now? I have been doing similar things on a CoxBusiness static IP for years, so maybe I can help. (Also Mike's latest silliness makes me wish for more erudite discussions on PLUG. Smart questions going unanswered only makes it worse? :-) I included a couple quick "reactions" to your email (below) but maybe this is moot now, a week on. -Matt On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote: Hey all, I use Let's Encrypt on my web server, and I use the same certificate for my postfix and dovecot services. Today I realized that my phone has not alerted me to new messages. I logged into my webmail via Firefix (I don't usually log into webmail until my phone says I have mail) and sure enough, I had quite a bit of mail, so I opened my BlueMail app and it will not connect because my certificate cannot be verified. Firefox works fine on webmail. Chrome works fine on webmail. Postfix, Apache, and Dovecot all operate correctly without warnings. Bluemail, Thunderbird, and Kmail all fail to connect because the certificate cannot be verified. You did not attach the intermediate certificates? I had to accept the certificate to use it on my phone. Has Let's Encrypt changed something? Or what? I don't get any errors on my server, dovecot reports a username of <> during the initial handshake, which I think is normal, then reports an error only when my phone attempts to connect which looks like: Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, lip=138.197.192.135, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session= Best I can tell this is a failure on my server's attempt to verify my phone's certificate? Your phone has an IMAP client certificate? I missed that part. The error message actually looks like mine when certificates do not validate and clients do not attempt to log in. Any help would be appreciated. --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss 0x241A8881.asc Description: application/pgp-keys --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
Re: Let's Encrypt certificates
-- Sorry as wrong identity and I expect the other to fail, I apologize if you get this twice. Thanks Stephen, this seems to be about the right time, but I think my problems started before this. I have not tried combining the primary chain with the intermediate chain and then making Dovecot use that. I think that is my next step. I just haven't had time to mess with it further since making my phone accept the cert was an easy fix so I could get back to work. On 2018-04-13 15:44, Stephen Partington wrote: > https://www.ssllabs.com/ssltest/analyze.html?d=codezilla.xyz > > So it looks great. > > This does look like a feature change was recently done. > https://letsencrypt.org/2018/04/04/sct-encoding.html > > On Fri, Apr 13, 2018 at 3:03 PM, Stephen Partington> wrote: > > Sorry, I lost this off my radar. > > https://letsencrypt.org/docs/integration-guide/ [1] has some interesting > information. Have you tested your ssl? > > On Fri, Apr 13, 2018 at 2:47 PM, Nathan O'Brennan > wrote: > On 2018-04-12 11:27, Matt Birkholz wrote: > Hi Nathan, > > Did you get any help with this, or figure it out yourself by now? No, to be > honest I haven't seen a single response, but I have also not seen any email > come in since I sent it, so I kind of thought maybe my certificate was messed > up somehow else. > > I ended up having my phone accept the certificate so I could check my mail, > but I never did resolve it. It works correctly everywhere, and on my phone as > long as it does not try to verify, so I left it alone. > > I have been doing similar things on a CoxBusiness static IP for years, > so maybe I can help. (Also Mike's latest silliness makes me wish for > more erudite discussions on PLUG. Smart questions going unanswered > only makes it worse? :-) > > I included a couple quick "reactions" to your email (below) but maybe > this is moot now, a week on. > > -Matt > > On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote: > Hey all, > > I use Let's Encrypt on my web server, and I use the same certificate for > my postfix and dovecot services. Today I realized that my phone has not > alerted me to new messages. I logged into my webmail via Firefix (I > don't usually log into webmail until my phone says I have mail) and sure > enough, I had quite a bit of mail, so I opened my BlueMail app and it > will not connect because my certificate cannot be verified. > > Firefox works fine on webmail. > Chrome works fine on webmail. > Postfix, Apache, and Dovecot all operate correctly without warnings. > > Bluemail, Thunderbird, and Kmail all fail to connect because the > certificate cannot be verified. > You did not attach the intermediate certificates? > > I had to accept the certificate to use it on my phone. Has Let's Encrypt > changed something? Or what? I don't get any errors on my server, dovecot > reports a username of <> during the initial handshake, which I think is > normal, then reports an error only when my phone attempts to connect > which looks like: > > Apr 05 20:26:23 codezilla.xyz [2] dovecot[1699]: imap-login: Disconnected > (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, > lip=138.197.192.135, TLS handshaking: SSL_accept() failed: > error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate > unknown: SSL alert number 46, session= > > Best I can tell this is a failure on my server's attempt to verify my > phone's certificate? > Your phone has an IMAP client certificate? I missed that part. > > The error message actually looks like mine when certificates do not > validate and clients do not attempt to log in. > > Any help would be appreciated. > --- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss [3] --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss [3] -- A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button. Stephen -- A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button. Stephen --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss Links: -- [1] https://letsencrypt.org/docs/integration-guide/ [2] http://codezilla.xyz [3] http://lists.phxlinux.org/mailman/listinfo/plug-discuss 0x241A8881.asc Description: application/pgp-keys ---
Re: Let's Encrypt certificates
On Fri, 2018-04-13 at 14:47 -0700, Nathan O'Brennan wrote: > On 2018-04-12 11:27, Matt Birkholz wrote: > > Hi Nathan, > > > > Did you get any help with this, or figure it out yourself by now? > > No, to be honest I haven't seen a single response, but I have also not > seen any email come in since I sent it, so I kind of thought maybe my > certificate was messed up somehow else. I think it is just hard to answer you without googling first, which invites distraction. > I ended up having my phone accept the certificate [...] I have the same problem: insufficient curiosity to uninstall the permanent exceptions (or did you actually turn validation OFF?). But maybe another lurker will be forewarned and win AND tell us all about it. > > > [...] > > > Firefox works fine on webmail. > > > Chrome works fine on webmail. > > > Postfix, Apache, and Dovecot all operate correctly without warnings. > > > > > > Bluemail, Thunderbird, and Kmail all fail to connect because the > > > certificate cannot be verified. > > > > You did not attach the intermediate certificates? I suggested missing intermediates because some clients may be willing to pursue "additional downloads" to validate a cert, while others may balk at incomplete chains. I had not included Gandi's with my Gandi cert and then went down the garden path of trying to add the intermediates as roots. It was not until I took SSLLabs quality test that I twigged to the importance of including the necessary intermediate certs. (Kudos on the SSL Labs suggestion, Stephen.) Now the Gandi cert (complete chain) works as expected, without exceptional handling, in Firefox 59 and (I hope) Everywhere. I pursued this minion of Chaos a bit further this morning, irritated that I cannot trust my own self-signed cert, even though I had installed it in /usr/local/share/ca-certificates/ and ran `sudo update- ca-certificates` AND saw that a key was added (to /etc/ssl/certs/ I guess). Yet I only got Firefox 59 to shut the bleep up after explicitly importing my (Easy-RSA CA) cert in Preferences > Privacy & Security > View Certificates... > Authorities > Import... AND I had to create the server cert with the INexact, all-too-Common-Name core.birchwood- abbey.net (NOT the absolute core.birchwood-abbey.net.) AND I had to use the same name in my CA's DB (i.e. on the ./build-key-server commandline). Kudos to anyone who can tell me how Firefox knew I had used the name core25 on the commandline (my twenty-sixth attempt [a tiny exaggeration]), why I do not see "core25" anywhere in `openssl x509 -text`, and especially how to get the Vile Offspring to document anything. --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
Re: Let's Encrypt certificates
https://www.ssllabs.com/ssltest/analyze.html?d=codezilla.xyz So it looks great. This does look like a feature change was recently done. https://letsencrypt.org/2018/04/04/sct-encoding.html On Fri, Apr 13, 2018 at 3:03 PM, Stephen Partingtonwrote: > Sorry, I lost this off my radar. > > https://letsencrypt.org/docs/integration-guide/ has some interesting > information. Have you tested your ssl? > > On Fri, Apr 13, 2018 at 2:47 PM, Nathan O'Brennan > wrote: > >> On 2018-04-12 11:27, Matt Birkholz wrote: >> >>> Hi Nathan, >>> >>> Did you get any help with this, or figure it out yourself by now? >>> >> >> No, to be honest I haven't seen a single response, but I have also not >> seen any email come in since I sent it, so I kind of thought maybe my >> certificate was messed up somehow else. >> >> I ended up having my phone accept the certificate so I could check my >> mail, but I never did resolve it. It works correctly everywhere, and on my >> phone as long as it does not try to verify, so I left it alone. >> >> >> >> >>> I have been doing similar things on a CoxBusiness static IP for years, >>> so maybe I can help. (Also Mike's latest silliness makes me wish for >>> more erudite discussions on PLUG. Smart questions going unanswered >>> only makes it worse? :-) >>> >>> I included a couple quick "reactions" to your email (below) but maybe >>> this is moot now, a week on. >>> >>> -Matt >>> >>> On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote: >>> Hey all, I use Let's Encrypt on my web server, and I use the same certificate for my postfix and dovecot services. Today I realized that my phone has not alerted me to new messages. I logged into my webmail via Firefix (I don't usually log into webmail until my phone says I have mail) and sure enough, I had quite a bit of mail, so I opened my BlueMail app and it will not connect because my certificate cannot be verified. Firefox works fine on webmail. Chrome works fine on webmail. Postfix, Apache, and Dovecot all operate correctly without warnings. Bluemail, Thunderbird, and Kmail all fail to connect because the certificate cannot be verified. >>> >>> You did not attach the intermediate certificates? >>> >>> I had to accept the certificate to use it on my phone. Has Let's Encrypt changed something? Or what? I don't get any errors on my server, dovecot reports a username of <> during the initial handshake, which I think is normal, then reports an error only when my phone attempts to connect which looks like: Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, lip=138.197.192.135, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session= Best I can tell this is a failure on my server's attempt to verify my phone's certificate? >>> >>> Your phone has an IMAP client certificate? I missed that part. >>> >>> The error message actually looks like mine when certificates do not >>> validate and clients do not attempt to log in. >>> >>> Any help would be appreciated. --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >> --- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > > > > -- > A mouse trap, placed on top of your alarm clock, will prevent you from > rolling over and going back to sleep after you hit the snooze button. > > Stephen > > -- A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button. Stephen --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
Re: Let's Encrypt certificates
Sorry, I lost this off my radar. https://letsencrypt.org/docs/integration-guide/ has some interesting information. Have you tested your ssl? On Fri, Apr 13, 2018 at 2:47 PM, Nathan O'Brennanwrote: > On 2018-04-12 11:27, Matt Birkholz wrote: > >> Hi Nathan, >> >> Did you get any help with this, or figure it out yourself by now? >> > > No, to be honest I haven't seen a single response, but I have also not > seen any email come in since I sent it, so I kind of thought maybe my > certificate was messed up somehow else. > > I ended up having my phone accept the certificate so I could check my > mail, but I never did resolve it. It works correctly everywhere, and on my > phone as long as it does not try to verify, so I left it alone. > > > > >> I have been doing similar things on a CoxBusiness static IP for years, >> so maybe I can help. (Also Mike's latest silliness makes me wish for >> more erudite discussions on PLUG. Smart questions going unanswered >> only makes it worse? :-) >> >> I included a couple quick "reactions" to your email (below) but maybe >> this is moot now, a week on. >> >> -Matt >> >> On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote: >> >>> Hey all, >>> >>> I use Let's Encrypt on my web server, and I use the same certificate for >>> my postfix and dovecot services. Today I realized that my phone has not >>> alerted me to new messages. I logged into my webmail via Firefix (I >>> don't usually log into webmail until my phone says I have mail) and sure >>> enough, I had quite a bit of mail, so I opened my BlueMail app and it >>> will not connect because my certificate cannot be verified. >>> >>> Firefox works fine on webmail. >>> Chrome works fine on webmail. >>> Postfix, Apache, and Dovecot all operate correctly without warnings. >>> >>> Bluemail, Thunderbird, and Kmail all fail to connect because the >>> certificate cannot be verified. >>> >> >> You did not attach the intermediate certificates? >> >> I had to accept the certificate to use it on my phone. Has Let's Encrypt >>> changed something? Or what? I don't get any errors on my server, dovecot >>> reports a username of <> during the initial handshake, which I think is >>> normal, then reports an error only when my phone attempts to connect >>> which looks like: >>> >>> >>> Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected >>> (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, >>> lip=138.197.192.135, TLS handshaking: SSL_accept() failed: >>> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate >>> unknown: SSL alert number 46, session= >>> >>> Best I can tell this is a failure on my server's attempt to verify my >>> phone's certificate? >>> >> >> Your phone has an IMAP client certificate? I missed that part. >> >> The error message actually looks like mine when certificates do not >> validate and clients do not attempt to log in. >> >> Any help would be appreciated. >>> --- >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >> > --- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss > -- A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button. Stephen --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
Re: Let's Encrypt certificates
On 2018-04-12 11:27, Matt Birkholz wrote: Hi Nathan, Did you get any help with this, or figure it out yourself by now? No, to be honest I haven't seen a single response, but I have also not seen any email come in since I sent it, so I kind of thought maybe my certificate was messed up somehow else. I ended up having my phone accept the certificate so I could check my mail, but I never did resolve it. It works correctly everywhere, and on my phone as long as it does not try to verify, so I left it alone. I have been doing similar things on a CoxBusiness static IP for years, so maybe I can help. (Also Mike's latest silliness makes me wish for more erudite discussions on PLUG. Smart questions going unanswered only makes it worse? :-) I included a couple quick "reactions" to your email (below) but maybe this is moot now, a week on. -Matt On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote: Hey all, I use Let's Encrypt on my web server, and I use the same certificate for my postfix and dovecot services. Today I realized that my phone has not alerted me to new messages. I logged into my webmail via Firefix (I don't usually log into webmail until my phone says I have mail) and sure enough, I had quite a bit of mail, so I opened my BlueMail app and it will not connect because my certificate cannot be verified. Firefox works fine on webmail. Chrome works fine on webmail. Postfix, Apache, and Dovecot all operate correctly without warnings. Bluemail, Thunderbird, and Kmail all fail to connect because the certificate cannot be verified. You did not attach the intermediate certificates? I had to accept the certificate to use it on my phone. Has Let's Encrypt changed something? Or what? I don't get any errors on my server, dovecot reports a username of <> during the initial handshake, which I think is normal, then reports an error only when my phone attempts to connect which looks like: Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, lip=138.197.192.135, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session= Best I can tell this is a failure on my server's attempt to verify my phone's certificate? Your phone has an IMAP client certificate? I missed that part. The error message actually looks like mine when certificates do not validate and clients do not attempt to log in. Any help would be appreciated. --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss 0x241A8881.asc Description: application/pgp-keys --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
Re: Let's Encrypt certificates
Hi Nathan, Did you get any help with this, or figure it out yourself by now? I have been doing similar things on a CoxBusiness static IP for years, so maybe I can help. (Also Mike's latest silliness makes me wish for more erudite discussions on PLUG. Smart questions going unanswered only makes it worse? :-) I included a couple quick "reactions" to your email (below) but maybe this is moot now, a week on. -Matt On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote: > Hey all, > > I use Let's Encrypt on my web server, and I use the same certificate for > my postfix and dovecot services. Today I realized that my phone has not > alerted me to new messages. I logged into my webmail via Firefix (I > don't usually log into webmail until my phone says I have mail) and sure > enough, I had quite a bit of mail, so I opened my BlueMail app and it > will not connect because my certificate cannot be verified. > > Firefox works fine on webmail. > Chrome works fine on webmail. > Postfix, Apache, and Dovecot all operate correctly without warnings. > > Bluemail, Thunderbird, and Kmail all fail to connect because the > certificate cannot be verified. You did not attach the intermediate certificates? > I had to accept the certificate to use it on my phone. Has Let's Encrypt > changed something? Or what? I don't get any errors on my server, dovecot > reports a username of <> during the initial handshake, which I think is > normal, then reports an error only when my phone attempts to connect > which looks like: > > > Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected > (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, > lip=138.197.192.135, TLS handshaking: SSL_accept() failed: > error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate > unknown: SSL alert number 46, session= > > Best I can tell this is a failure on my server's attempt to verify my > phone's certificate? Your phone has an IMAP client certificate? I missed that part. The error message actually looks like mine when certificates do not validate and clients do not attempt to log in. > Any help would be appreciated. > --- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
Let's Encrypt certificates
Hey all, I use Let's Encrypt on my web server, and I use the same certificate for my postfix and dovecot services. Today I realized that my phone has not alerted me to new messages. I logged into my webmail via Firefix (I don't usually log into webmail until my phone says I have mail) and sure enough, I had quite a bit of mail, so I opened my BlueMail app and it will not connect because my certificate cannot be verified. Firefox works fine on webmail. Chrome works fine on webmail. Postfix, Apache, and Dovecot all operate correctly without warnings. Bluemail, Thunderbird, and Kmail all fail to connect because the certificate cannot be verified. I had to accept the certificate to use it on my phone. Has Let's Encrypt changed something? Or what? I don't get any errors on my server, dovecot reports a username of <> during the initial handshake, which I think is normal, then reports an error only when my phone attempts to connect which looks like: Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, lip=138.197.192.135, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session= Best I can tell this is a failure on my server's attempt to verify my phone's certificate? Any help would be appreciated. --- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss