Let's Encrypt certificates

Matt Birkholz matt at birchwood-abbey.net
Thu Apr 12 11:27:05 MST 2018 

Hi Nathan,

Did you get any help with this, or figure it out yourself by now?

I have been doing similar things on a CoxBusiness static IP for years,
so maybe I can help.  (Also Mike's latest silliness makes me wish for
more erudite discussions on PLUG.  Smart questions going unanswered
only makes it worse? :-)

I included a couple quick "reactions" to your email (below) but maybe
this is moot now, a week on.

-Matt

On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:
> Hey all,
> 
> I use Let's Encrypt on my web server, and I use the same certificate for 
> my postfix and dovecot services. Today I realized that my phone has not 
> alerted me to new messages. I logged into my webmail via Firefix (I 
> don't usually log into webmail until my phone says I have mail) and sure 
> enough, I had quite a bit of mail, so I opened my BlueMail app and it 
> will not connect because my certificate cannot be verified.
> 
> Firefox works fine on webmail.
> Chrome works fine on webmail.
> Postfix, Apache, and Dovecot all operate correctly without warnings.
> 
> Bluemail, Thunderbird, and Kmail all fail to connect because the 
> certificate cannot be verified.

You did not attach the intermediate certificates?

> I had to accept the certificate to use it on my phone. Has Let's Encrypt 
> changed something? Or what? I don't get any errors on my server, dovecot 
> reports a username of <> during the initial handshake, which I think is 
> normal, then reports an error only when my phone attempts to connect 
> which looks like:
> 
> 
> Apr 05 20:26:23 codezilla.xyz dovecot[1699]: imap-login: Disconnected 
> (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162, 
> lip=138.197.192.135, TLS handshaking: SSL_accept() failed: 
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate 
> unknown: SSL alert number 46, session=<xsrZniVpOQBGsb2i>
> 
> Best I can tell this is a failure on my server's attempt to verify my 
> phone's certificate?

Your phone has an IMAP client certificate?  I missed that part.

The error message actually looks like mine when certificates do not
validate and clients do not attempt to log in.

> Any help would be appreciated.
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list