Let's Encrypt certificates

Nathan O'Brennan plugaz at codezilla.xyz
Mon Apr 16 16:26:46 MST 2018


-- Sorry as wrong identity and I expect the other to fail, I apologize
if you get this twice. 

Thanks Stephen, this seems to be about the right time, but I think my
problems started before this.  

I have not tried combining the primary chain with the intermediate chain
and then making Dovecot use that. I think that is my next step. I just
haven't had time to mess with it further since making my phone accept
the cert was an easy fix so I could get back to work. 

On 2018-04-13 15:44, Stephen Partington wrote:

> https://www.ssllabs.com/ssltest/analyze.html?d=codezilla.xyz 
> 
> So it looks great. 
> 
> This does look like a feature change was recently done. https://letsencrypt.org/2018/04/04/sct-encoding.html 
> 
> On Fri, Apr 13, 2018 at 3:03 PM, Stephen Partington <cryptworks at gmail.com> wrote:
> 
> Sorry, I lost this off my radar. 
> 
> https://letsencrypt.org/docs/integration-guide/ [1] has some interesting information. Have you tested your ssl? 
> 
> On Fri, Apr 13, 2018 at 2:47 PM, Nathan O'Brennan <plugaz at codezilla.xyz> wrote:
> On 2018-04-12 11:27, Matt Birkholz wrote:
> Hi Nathan,
> 
> Did you get any help with this, or figure it out yourself by now? No, to be honest I haven't seen a single response, but I have also not seen any email come in since I sent it, so I kind of thought maybe my certificate was messed up somehow else.
> 
> I ended up having my phone accept the certificate so I could check my mail, but I never did resolve it. It works correctly everywhere, and on my phone as long as it does not try to verify, so I left it alone. 
> 
> I have been doing similar things on a CoxBusiness static IP for years,
> so maybe I can help.  (Also Mike's latest silliness makes me wish for
> more erudite discussions on PLUG.  Smart questions going unanswered
> only makes it worse? :-)
> 
> I included a couple quick "reactions" to your email (below) but maybe
> this is moot now, a week on.
> 
> -Matt
> 
> On Thu, 2018-04-05 at 20:29 -0700, Nathan O'Brennan wrote:
> Hey all,
> 
> I use Let's Encrypt on my web server, and I use the same certificate for
> my postfix and dovecot services. Today I realized that my phone has not
> alerted me to new messages. I logged into my webmail via Firefix (I
> don't usually log into webmail until my phone says I have mail) and sure
> enough, I had quite a bit of mail, so I opened my BlueMail app and it
> will not connect because my certificate cannot be verified.
> 
> Firefox works fine on webmail.
> Chrome works fine on webmail.
> Postfix, Apache, and Dovecot all operate correctly without warnings.
> 
> Bluemail, Thunderbird, and Kmail all fail to connect because the
> certificate cannot be verified. 
> You did not attach the intermediate certificates?
> 
> I had to accept the certificate to use it on my phone. Has Let's Encrypt
> changed something? Or what? I don't get any errors on my server, dovecot
> reports a username of <> during the initial handshake, which I think is
> normal, then reports an error only when my phone attempts to connect
> which looks like:
> 
> Apr 05 20:26:23 codezilla.xyz [2] dovecot[1699]: imap-login: Disconnected
> (no auth attempts in 3 secs): user=<>, rip=70.xxx.aaa.162,
> lip=138.197.192.135, TLS handshaking: SSL_accept() failed:
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
> unknown: SSL alert number 46, session=<xsrZniVpOQBGsb2i>
> 
> Best I can tell this is a failure on my server's attempt to verify my
> phone's certificate? 
> Your phone has an IMAP client certificate?  I missed that part.
> 
> The error message actually looks like mine when certificates do not
> validate and clients do not attempt to log in.
> 
> Any help would be appreciated.
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss [3]

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss [3] 

  -- 

A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen

  -- 
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss 

 

Links:
------
[1] https://letsencrypt.org/docs/integration-guide/
[2] http://codezilla.xyz
[3] http://lists.phxlinux.org/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20180416/b58e84d8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x241A8881.asc
Type: application/pgp-keys
Size: 1723 bytes
Desc: not available
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20180416/b58e84d8/attachment.key>


More information about the PLUG-discuss mailing list