Gmail android app invalid certificate for imap


#1

Hi,

Im trying to configure dovecot on my server using SNI to provide right certificate for each domain. This works ok with outlook desktop but when trying to add account to gmail app i get an error that says certificate is not trusted. I can see certificate within app and is right certificate for my domain so i dont understand why is not trusted… dates are ok also…
Thanks!


#2

Hi @borjaevo

what’s the reason? There are different things - no valid root, no valid name etc.

Do you have a screenshot?


#3

Have you verified the Gmail app actually uses SNI? Because SNI isn’t widespread in e-mail servers and clients.


#4

Gmail app dont show any reason…i get a dialog with message “not valid certificate” and a button that says “advanced settings”, if i touch that, i could see the certificate that is the right certificate for domain and dates are ok.
I read something about i have to configure dovecot to serve fullchain.pem instead of standard cert.pem but i tried and can’t configure accounts with any client app.


#5

Yes, its supported because i can see certificate and is domain certificate and not default cert of dovecot that is certificate of server.

I think this has nothing to do with client app, it tries to connect to mail server with vhost domain and dovecot serves configured certificate. I dont think a client app can get default certificate instead of domain certificate. But maybe im wrong, anyway, its not the case.

Thanks!


#6

That is always a good thing to do.

Could you post a screenshot please?


#7

Of course:


Its spanish, it says certificate not trusted.

About use fullchain.cert i cant configure any account with that, neither with outlook desktop or mobile, or gmail. It cant establish secure connection.


#8

Can you post the server name?
It is probably a chain issue…

That is made on the IMAP server.

You can check it with:
openssl s_client -connect servername:imaps
Confirm the CHAIN and the SUBJECT.


#9

Using the command you provided i dont get same certificate that from gmail app. I get default certificate of dovecot.


#10

Add -servername the_actual_hostname to send the SNI request too.


#11

OK, i think i know why is not working with fullchain.cert, this file is not renewed since 2017… maybe since i changed the way i renew letsencrypt certificates when i was using cron jobs to renew, now i renew using virtualmin interface. How can i get fullchain.pem?


#12

I’m sure virtualmin also has some sort of fullchain file present somewhere.


#13

I have deleted all files in sll_certificates folder and request new certificate and i only have cert.pem and key.pem files… no chain or fullchain file
This a virtualmin issue i think, so i will do some research about it.


#14

Thanks!! its working!

I dont know why but virtualmin is renewing certificate files in different folders. I have cert.pem and privkey.pem in ssl_certificates folder inside domain folder and chain and fullchain files in domain home folder with names ssl.combined and ssl.everything.


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.