Mobile clients, SSL alert number 46

My domain is: antiochtechnologies.com

My web server is (include version): apache 2.4.18

The operating system my web server runs on is (include version): ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin 1.942

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.27.0

select mobile clients are not receiving mail. desktop clients working fine. mail.err log shows the following whenever select mobile clients attempt connection.

dovecot: imap-login: Error: SSL: Stacked error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46

1 Like

You’re not sending an intermediate certificate. Your Dovecot configuration should include the intermediate certificate.

1 Like

added the following to /etc/dovecot/conf.d/10-ssl.conf, even though the comments in the file say to only do so when performing client certificate checking. seems to have resolved the issue.

ssl_ca = </etc/webmin/letsencrypt-ca.pem

1 Like

Doesn’t webmin provide some combined file like certbot does?

1 Like

not that i can see in /etc/webmin. just the ca, cert and key files.

Did webmin create those files? Or did certbot? B/c you’re also citing version 0.27 of certbot?

webmin just implemented certbot, requiring me to install it. but i never use it directly. webmin continues to handle the requesting and renewals…just now using certbot as i understand it.

1 Like

Ah, I see. Unfortunate. The webmin code indeed doesn’t include the fullchain.pem provided by certbot.

Two options if you don’t want to use ssl_ca (I wouldn’t recommend it, just like the Dovecot devvers don’t recommend it):

  • Patch the webmin source code to include fullchain.pem in /etc/webmin
  • Place a command like cat /etc/webmin/letsencrypt-cert.pem /etc/webmin/letsencrypt-ca.pem > /etc/webmin/letsencrypt-fullchain.pem in the certbot renewal configuration file of the certificate name used by webmin.
1 Like

is the location of this file a webmin question?

I don’t know if webmin manipulates certbot in a way the location of that file is different than the default location. Normally, one would find the renewal configuration files of certbot in /etc/letsencrypt/renewal with subdirectories there for each certificate “lineage”. Also, I’m not familiair with webmin to say how webmin names the certificate lineages.

1 Like

that folder only contains conf files for the webmin domain and each virtualmin domain. however, in antiochtechnologies.com.conf, /etc/letsencrypt/live/antiochtechnologies.com/fullchain.pem is referenced. now /etc/letsencrypt/live/antiochtechnologies.com/fullchain.pem turns out to be a symlink to /etc/letsencrypt/archive/antiochtechnologies.com/fullchain3.pem. could i just tell dovecot to use /etc/letsencrypt/live/antiochtechnologies.com/fullchain.pem?

1 Like

If you’re sure that’s the correct certificate (compair /etc/webmin/letsencrypt-cert.pem and /etc/letsencrypt/live/antiochtechnologies.com/cert.pem): yes

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.