[openssl-users] alert number 46:

Kyle Hamilton aerowolf at gmail.com
Sun Nov 12 22:28:41 UTC 2017 

Use a publicly-trusted certification authority, such as Let's Encrypt.
The problem is from the remote side (it's sending the alert that it
does not recognize your certificate issuer).

-Kyle H

On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
<simon.d.matthews at gmail.com> wrote:
> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <janjust at nikhef.nl> wrote:
>> Hi,
>>
>> On 12/11/17 05:39, Simon Matthews wrote:
>>>
>>> I have generated a new certificate for my CentOS 6/postfix server, and
>>> it seems to work with most clients, but when I try to send email using
>>> tls from my Android device, it always fails.
>>>
>>> In my postfix log, I see:
>>>
>>> warning: TLS library problem: 13671:error:14094416:SSL
>>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>>
>>> I get the same message when using the same new certificate with
>>> dovecot, so I don't think it is a postfix issue.
>>>
>>> To generate the certificate, I used the following commands:
>>>
>>> openssl genrsa -out MatthewsCA2017.key 2048
>>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>>> 3000 -out MatthewsCA2017.pem
>>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>>> smtp.matthews-family.org.uk.csr
>>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>>
>>> Any ideas on what might be wrong?
>>>
>>
>> you seem to have generated your own (new) CA and server certificate; is this
>> CA (public) cert installed in postfix correctly. More importantly, is this
>> new CA distributed to all devices?
>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN
>
> In my Android device, I am using the option "TLS (Accept all
> certificates)" which was working with my prior certificate. I built a
> new CA and certificate because Microsoft/Hotmail would not send email
> to my server because of the use of MD5 in the certificate chain.
>
> In the postfix main.cf, I have:
> smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem
>
> The file exists:
> # ls /etc/ssl/MatthewsCA2017.pem
> /etc/ssl/MatthewsCA2017.pem
>
> This is CentOS 6 VM.
>
> Is there anything else I should do to install the certificates? I
> notice that the dovecot configuration doesn't explicitly define the CA
> certificate location, so perhaps I have missed something?
>
> Simon
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list