[openssl-users] alert number 46:

Simon Matthews simon.d.matthews at gmail.com
Mon Nov 13 05:35:35 UTC 2017


I installed letsencrypt  and generated a certificate.

Even with this certificate, I got the same error. The error went away
when I changed the connection to "TLS" from "TLS (Accept All
Certificates)".

I wonder if the root problem was that the mail app on my phone won't
accept newer certificates unless it can validate them fully?

Simon


On Sun, Nov 12, 2017 at 2:28 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
> Use a publicly-trusted certification authority, such as Let's Encrypt.
> The problem is from the remote side (it's sending the alert that it
> does not recognize your certificate issuer).
>
> -Kyle H
>
> On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
> <simon.d.matthews at gmail.com> wrote:
>> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <janjust at nikhef.nl> wrote:
>>> Hi,
>>>
>>> On 12/11/17 05:39, Simon Matthews wrote:
>>>>
>>>> I have generated a new certificate for my CentOS 6/postfix server, and
>>>> it seems to work with most clients, but when I try to send email using
>>>> tls from my Android device, it always fails.
>>>>
>>>> In my postfix log, I see:
>>>>
>>>> warning: TLS library problem: 13671:error:14094416:SSL
>>>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>>>
>>>> I get the same message when using the same new certificate with
>>>> dovecot, so I don't think it is a postfix issue.
>>>>
>>>> To generate the certificate, I used the following commands:
>>>>
>>>> openssl genrsa -out MatthewsCA2017.key 2048
>>>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>>>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>>>> 3000 -out MatthewsCA2017.pem
>>>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>>>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>>>> smtp.matthews-family.org.uk.csr
>>>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>>>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>>>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>>>
>>>> Any ideas on what might be wrong?
>>>>
>>>
>>> you seem to have generated your own (new) CA and server certificate; is this
>>> CA (public) cert installed in postfix correctly. More importantly, is this
>>> new CA distributed to all devices?
>>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN
>>
>> In my Android device, I am using the option "TLS (Accept all
>> certificates)" which was working with my prior certificate. I built a
>> new CA and certificate because Microsoft/Hotmail would not send email
>> to my server because of the use of MD5 in the certificate chain.
>>
>> In the postfix main.cf, I have:
>> smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem
>>
>> The file exists:
>> # ls /etc/ssl/MatthewsCA2017.pem
>> /etc/ssl/MatthewsCA2017.pem
>>
>> This is CentOS 6 VM.
>>
>> Is there anything else I should do to install the certificates? I
>> notice that the dovecot configuration doesn't explicitly define the CA
>> certificate location, so perhaps I have missed something?
>>
>> Simon
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list