alert number 46:

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

alert number 46:

Simon Matthews
I have generated a new certificate for my CentOS 6/postfix server, and
it seems to work with most clients, but when I try to send email using
tls from my Android device, it always fails.

In my postfix log, I see:

warning: TLS library problem: 13671:error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:s3_pkt.c:1275:SSL alert number 46:

I get the same message when using the same new certificate with
dovecot, so I don't think it is a postfix issue.

To generate the certificate, I used the following commands:

openssl genrsa -out MatthewsCA2017.key 2048
openssl genrsa -des3 -out MatthewsCA2017.key 2048
openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
3000 -out MatthewsCA2017.pem
openssl genrsa -out smtp.matthews-family.org.uk.key 2048
openssl req -new -key smtp.matthews-family.org.uk.key -out
smtp.matthews-family.org.uk.csr
openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
smtp.matthews-family.org.uk.crt -days 3000 -sha256

Any ideas on what might be wrong?

Simon
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: alert number 46:

Jan Just Keijser-2
Hi,

On 12/11/17 05:39, Simon Matthews wrote:

> I have generated a new certificate for my CentOS 6/postfix server, and
> it seems to work with most clients, but when I try to send email using
> tls from my Android device, it always fails.
>
> In my postfix log, I see:
>
> warning: TLS library problem: 13671:error:14094416:SSL
> routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown:s3_pkt.c:1275:SSL alert number 46:
>
> I get the same message when using the same new certificate with
> dovecot, so I don't think it is a postfix issue.
>
> To generate the certificate, I used the following commands:
>
> openssl genrsa -out MatthewsCA2017.key 2048
> openssl genrsa -des3 -out MatthewsCA2017.key 2048
> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
> 3000 -out MatthewsCA2017.pem
> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
> openssl req -new -key smtp.matthews-family.org.uk.key -out
> smtp.matthews-family.org.uk.csr
> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>
> Any ideas on what might be wrong?
>

you seem to have generated your own (new) CA and server certificate; is
this CA (public) cert installed in postfix correctly. More importantly,
is this new CA distributed to all devices?
An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN

HTH,

JJK

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: alert number 46:

Simon Matthews
On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <[hidden email]> wrote:

> Hi,
>
> On 12/11/17 05:39, Simon Matthews wrote:
>>
>> I have generated a new certificate for my CentOS 6/postfix server, and
>> it seems to work with most clients, but when I try to send email using
>> tls from my Android device, it always fails.
>>
>> In my postfix log, I see:
>>
>> warning: TLS library problem: 13671:error:14094416:SSL
>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>
>> I get the same message when using the same new certificate with
>> dovecot, so I don't think it is a postfix issue.
>>
>> To generate the certificate, I used the following commands:
>>
>> openssl genrsa -out MatthewsCA2017.key 2048
>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>> 3000 -out MatthewsCA2017.pem
>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>> smtp.matthews-family.org.uk.csr
>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>
>> Any ideas on what might be wrong?
>>
>
> you seem to have generated your own (new) CA and server certificate; is this
> CA (public) cert installed in postfix correctly. More importantly, is this
> new CA distributed to all devices?
> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN

In my Android device, I am using the option "TLS (Accept all
certificates)" which was working with my prior certificate. I built a
new CA and certificate because Microsoft/Hotmail would not send email
to my server because of the use of MD5 in the certificate chain.

In the postfix main.cf, I have:
smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem

The file exists:
# ls /etc/ssl/MatthewsCA2017.pem
/etc/ssl/MatthewsCA2017.pem

This is CentOS 6 VM.

Is there anything else I should do to install the certificates? I
notice that the dovecot configuration doesn't explicitly define the CA
certificate location, so perhaps I have missed something?

Simon
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: alert number 46:

Kyle Hamilton
Use a publicly-trusted certification authority, such as Let's Encrypt.
The problem is from the remote side (it's sending the alert that it
does not recognize your certificate issuer).

-Kyle H

On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
<[hidden email]> wrote:

> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <[hidden email]> wrote:
>> Hi,
>>
>> On 12/11/17 05:39, Simon Matthews wrote:
>>>
>>> I have generated a new certificate for my CentOS 6/postfix server, and
>>> it seems to work with most clients, but when I try to send email using
>>> tls from my Android device, it always fails.
>>>
>>> In my postfix log, I see:
>>>
>>> warning: TLS library problem: 13671:error:14094416:SSL
>>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>>
>>> I get the same message when using the same new certificate with
>>> dovecot, so I don't think it is a postfix issue.
>>>
>>> To generate the certificate, I used the following commands:
>>>
>>> openssl genrsa -out MatthewsCA2017.key 2048
>>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>>> 3000 -out MatthewsCA2017.pem
>>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>>> smtp.matthews-family.org.uk.csr
>>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>>
>>> Any ideas on what might be wrong?
>>>
>>
>> you seem to have generated your own (new) CA and server certificate; is this
>> CA (public) cert installed in postfix correctly. More importantly, is this
>> new CA distributed to all devices?
>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN
>
> In my Android device, I am using the option "TLS (Accept all
> certificates)" which was working with my prior certificate. I built a
> new CA and certificate because Microsoft/Hotmail would not send email
> to my server because of the use of MD5 in the certificate chain.
>
> In the postfix main.cf, I have:
> smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem
>
> The file exists:
> # ls /etc/ssl/MatthewsCA2017.pem
> /etc/ssl/MatthewsCA2017.pem
>
> This is CentOS 6 VM.
>
> Is there anything else I should do to install the certificates? I
> notice that the dovecot configuration doesn't explicitly define the CA
> certificate location, so perhaps I have missed something?
>
> Simon
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: alert number 46:

Simon Matthews
I installed letsencrypt  and generated a certificate.

Even with this certificate, I got the same error. The error went away
when I changed the connection to "TLS" from "TLS (Accept All
Certificates)".

I wonder if the root problem was that the mail app on my phone won't
accept newer certificates unless it can validate them fully?

Simon


On Sun, Nov 12, 2017 at 2:28 PM, Kyle Hamilton <[hidden email]> wrote:

> Use a publicly-trusted certification authority, such as Let's Encrypt.
> The problem is from the remote side (it's sending the alert that it
> does not recognize your certificate issuer).
>
> -Kyle H
>
> On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
> <[hidden email]> wrote:
>> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <[hidden email]> wrote:
>>> Hi,
>>>
>>> On 12/11/17 05:39, Simon Matthews wrote:
>>>>
>>>> I have generated a new certificate for my CentOS 6/postfix server, and
>>>> it seems to work with most clients, but when I try to send email using
>>>> tls from my Android device, it always fails.
>>>>
>>>> In my postfix log, I see:
>>>>
>>>> warning: TLS library problem: 13671:error:14094416:SSL
>>>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>>>
>>>> I get the same message when using the same new certificate with
>>>> dovecot, so I don't think it is a postfix issue.
>>>>
>>>> To generate the certificate, I used the following commands:
>>>>
>>>> openssl genrsa -out MatthewsCA2017.key 2048
>>>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>>>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>>>> 3000 -out MatthewsCA2017.pem
>>>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>>>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>>>> smtp.matthews-family.org.uk.csr
>>>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>>>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>>>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>>>
>>>> Any ideas on what might be wrong?
>>>>
>>>
>>> you seem to have generated your own (new) CA and server certificate; is this
>>> CA (public) cert installed in postfix correctly. More importantly, is this
>>> new CA distributed to all devices?
>>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN
>>
>> In my Android device, I am using the option "TLS (Accept all
>> certificates)" which was working with my prior certificate. I built a
>> new CA and certificate because Microsoft/Hotmail would not send email
>> to my server because of the use of MD5 in the certificate chain.
>>
>> In the postfix main.cf, I have:
>> smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem
>>
>> The file exists:
>> # ls /etc/ssl/MatthewsCA2017.pem
>> /etc/ssl/MatthewsCA2017.pem
>>
>> This is CentOS 6 VM.
>>
>> Is there anything else I should do to install the certificates? I
>> notice that the dovecot configuration doesn't explicitly define the CA
>> certificate location, so perhaps I have missed something?
>>
>> Simon
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: alert number 46:

Viktor Dukhovni


> On Nov 13, 2017, at 12:35 AM, Simon Matthews <[hidden email]> wrote:
>
> I installed letsencrypt  and generated a certificate.
>
> Even with this certificate, I got the same error. The error went away
> when I changed the connection to "TLS" from "TLS (Accept All
> Certificates)".
>
> I wonder if the root problem was that the mail app on my phone won't
> accept newer certificates unless it can validate them fully?

Your phone is not using OpenSSL.  So sadly, this is not the right forum
for this question.  Ask on the appropriate Android, iOS etc. forum.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users