Hey, for a while now I get these errors frequently during the day. It's not regularily, so it seems to be some device that's not always on. But I find it about 200 times a day in the log: Code: Sep 4 22:16:50 $myhostname dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=46.114.202.221, lip=$myIP, TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46, session=<eMPJMI4ERxcucsrd> I tried to find any clues but could not come up with something clear, always pointing direction of missing intermediate CA, e.g. https://www.hagenfragen.de/linux-ti...er-46-mit-letsencrypt-unter-ubuntu-20-04.html -> so I digged some around but: Code: # doveconf | grep ssl_cert ssl_cert = </etc/postfix/smtpd.cert ssl_cert_username_field = commonName # l /etc/postfix/smtpd.cert lrwxrwxrwx 1 root root 59 1. Jul 2021 /etc/postfix/smtpd.cert -> /var/www/$mymail.domain.de/ssl/$mymail.domain.de-le.crt # l /var/www/$mymail.domain.de/ssl -rw-r--r-- 1 root root 5,8K 18. Aug 00:07 $mymail.domain.de-le.crt -rw------- 1 root root 3,2K 18. Aug 00:07 $mymail.domain.de-le.key So LE is renewed automatically and the intermediates are supposedly put into *.crt, no!? If not, might this be the issue!? If so, does anybody have any other clues what this might be!? Thanks in advance!
The intermediate certs are in the cert that ISPConfig configures by default for the mail system, but you seem to have manually changed the setup and use a cert of a website instead. What you can try is that you add this line to the dovecot config file: ssl_ca = </usr/local/ispconfig/interface/ssl/ispserver.bundle
Thanks for the reply and the hint. Yes I changed the setup so that ISPConfig and Dovecot/Postfix use a LE-certificate that is up to date. (-> I just wanted for other people that browser- and mailclientconnections are accepted without needing to confirm exceptions. Maybe I did something wrong there!?) In the corresponding folder there is no such file, maybe I did miss something more? Code: # l /usr/local/ispconfig/interface/ssl/ -rwxr----- 1 root root 768 19. Feb 2023 dhparam4096.pem -rwxr----- 1 root root 45 19. Feb 2023 empty.dir lrwxrwxrwx 1 root root 67 16. Sep 2021 ispserver.crt -> /var/www/$ispconfig.domain.de/ssl/$ispconfig.domain.de-le.crt -rwxr----- 1 root root 2,0K 9. Dez 2020 ispserver.crt-201211170944.bak -rwxr----- 1 root root 1,7K 9. Dez 2020 ispserver.csr lrwxrwxrwx 1 root root 67 16. Sep 2021 ispserver.key -> /var/www/$ispconfig.domain.de/ssl/$ispconfig.domain.de-le.key -rwxr----- 1 root root 3,2K 9. Dez 2020 ispserver.key-201211170944.bak -rwxr----- 1 root root 3,3K 9. Dez 2020 ispserver.key.secure -rwxr----- 1 root root 9,0K 25. Jul 00:04 ispserver.pem -> ispserver.pem is always renewed automatically when the LE-cert is renewed (last one 25th of July) -> is it maybe the file ispserver.csr ?
@till is there a way to create that file ispserver.bundle ? Actually I don't think that I deleted it or nothing, don't know why it isn't there. Or maybe some more hints on where to look or what to do? (maybe I'm doing something terribly wrong, hope not)
This is the let's encrypt ca-bundle file. But this should ben needed only if the ca files are not already cert file. So if you have the ca certs in the file /var/www/$ispconfig.domain.de/ssl/$ispconfig.domain.de-le.crt then the bundle file is not needed.
