dovocot: sl/tls alert bad certificate: SSL alert number 42

All questions related to servers
Post Reply
mister_v
Posts: 199
Joined: Thu Mar 04, 2010 9:19 pm

dovocot: sl/tls alert bad certificate: SSL alert number 42

Post by mister_v »

Hi,

I have a problem connection to my imap-server; dovecot.
errors in the log

Code: Select all

dovecot[2681]: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::ssl/tls alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs):
Client soft is thunderbird.
chris
Site Admin
Posts: 205
Joined: Mon Jul 21, 2008 9:52 am

Re: dovocot: sl/tls alert bad certificate: SSL alert number 42

Post by chris »

The newer version of thunderbird are more strict on certificates, specially on self-signed certificates.
If you have a private imap-server that you maintain yourself you probably use this.

You can find a tutorial on this site:
https://softwareprocess.es/homepage/pos ... number-42/

I'll give a brief resume here.
You'll need to use a CA or make one yourself.
And respect the common name of the certificate is the same as your server.
Upload the CA in thunderbird

Step1 1: Use a CA or make a CA.

Code: Select all

openssl genrsa -out SERVER_CA.key 4096
	openssl req -x509 -new -nodes -key SERVER_CA.key \
		-subj "/C=BE/ST=NO/L=Town/O=dovecotnow/CN=SERVER" \
		-sha256 -days 3650 -out SERVER_CA.pem
	openssl req -new -x509 -days 3650 -key SERVER_CA.key \
		-subj "/C=BE/ST=NO/L=TOWN/O=dovecotnow/CN=SERVER" \
		-out SERVER_CA.crt
hold on to SERVER_CA.pem, you'll need to upload it in thunderbird.

Step 2: Subject Altertnative Names (for you server)

Code: Select all

# v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = SERVER
DNS.2 = server.domain.dns
DNS.3 = server6
Step3: Create Keys and certificate

Code: Select all

       openssl genrsa -out SERVER.key 4096
	# Make the certificate request
	openssl req -new -key SERVER.key -out SERVER.csr -subj \
		"/C=BE/ST=NO/L=Town/O=dovecotnow/CN=SERVER"
	# Make a certificate
	openssl x509 -req -in SERVER.csr -CA SERVER_CA.pem -CAkey \
		SERVER_CA.key -CAcreateserial -out SERVER.crt \
		-days 3650 -sha256 -extfile v3.ext
	# Make a certificate
	openssl x509 -req -in SERVER.csr -CA SERVER_CA.pem -CAkey \
		SERVER_CA.key -CAcreateserial -out SERVER.pem \
		-days 3650 -sha256 -extfile v3.ext
Step 4: install cert on server
SERVER.key and SERVER.pem will be used in your dovecot 10-ssl.conf file on your server. (see /etc/dovecot/conf.d/10-ssl.conf)
restart dovecot.

Step 5: install cert in thunderbird
Make sure that the CA’s certificate is trusted by Thunderbird
Settings -> Privacy & Security -> Manage Certificates -> Authorities -> Import (and choose your CA’s pem or crt such as SERVER_CA.pem)

Step 6: hostname ( not sure if this is needed)
Add IMAP hostname on you client PC (see /etc/hosts )

Code: Select all

10.10.10.10   SERVER
Post Reply