Mobile clients, SSL alert number 46

antioch · June 2, 2020, 4:16pm

My web server is (include version): apache 2.4.18

The operating system my web server runs on is (include version): ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): webmin 1.942

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.27.0

select mobile clients are not receiving mail. desktop clients working fine. mail.err log shows the following whenever select mobile clients attempt connection.

dovecot: imap-login: Error: SSL: Stacked error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46

Osiris · June 2, 2020, 4:18pm

You’re not sending an intermediate certificate. Your Dovecot configuration should include the intermediate certificate.

antioch · June 2, 2020, 4:49pm

added the following to /etc/dovecot/conf.d/10-ssl.conf, even though the comments in the file say to only do so when performing client certificate checking. seems to have resolved the issue.

ssl_ca = </etc/webmin/letsencrypt-ca.pem

Osiris · June 2, 2020, 4:50pm

Doesn’t webmin provide some combined file like certbot does?

antioch · June 2, 2020, 4:53pm

not that i can see in /etc/webmin. just the ca, cert and key files.

Osiris · June 2, 2020, 4:54pm

Did webmin create those files? Or did certbot? B/c you’re also citing version 0.27 of certbot?

antioch · June 2, 2020, 4:55pm

webmin just implemented certbot, requiring me to install it. but i never use it directly. webmin continues to handle the requesting and renewals…just now using certbot as i understand it.

Osiris · June 2, 2020, 5:07pm

Ah, I see. Unfortunate. The webmin code indeed doesn’t include the fullchain.pem provided by certbot.

Two options if you don’t want to use ssl_ca (I wouldn’t recommend it, just like the Dovecot devvers don’t recommend it):

Patch the webmin source code to include fullchain.pem in /etc/webmin
Place a command like cat /etc/webmin/letsencrypt-cert.pem /etc/webmin/letsencrypt-ca.pem > /etc/webmin/letsencrypt-fullchain.pem in the certbot renewal configuration file of the certificate name used by webmin.

antioch · June 2, 2020, 7:21pm

is the location of this file a webmin question?

Osiris · June 2, 2020, 7:51pm

I don't know if webmin manipulates certbot in a way the location of that file is different than the default location. Normally, one would find the renewal configuration files of certbot in /etc/letsencrypt/renewal with subdirectories there for each certificate "lineage". Also, I'm not familiair with webmin to say how webmin names the certificate lineages.

antioch · June 2, 2020, 8:04pm

that folder only contains conf files for the webmin domain and each virtualmin domain. however, in antiochtechnologies.com.conf, /etc/letsencrypt/live/antiochtechnologies.com/fullchain.pem is referenced. now /etc/letsencrypt/live/antiochtechnologies.com/fullchain.pem turns out to be a symlink to /etc/letsencrypt/archive/antiochtechnologies.com/fullchain3.pem. could i just tell dovecot to use /etc/letsencrypt/live/antiochtechnologies.com/fullchain.pem?

Osiris · June 2, 2020, 8:36pm

If you're sure that's the correct certificate (compair /etc/webmin/letsencrypt-cert.pem and /etc/letsencrypt/live/antiochtechnologies.com/cert.pem): yes

Topic		Replies	Views
Maybe an intermediate certificate is missing? Help	27	6669	November 7, 2021
Dovecot issues regarding: Intermediate/chain certificate to link it to a trusted root certificate Server	10	4906	May 18, 2019
Chain missing or incomplete Help	25	9794	January 23, 2021
Incomplete, Extra intermediate chain certificate Help	10	2918	January 29, 2021
Mail server has new cert but mail app sees old one Help	32	690	April 22, 2024

Mobile clients, SSL alert number 46

Related topics