[openssl-users] alert number 46:

Simon Matthews simon.d.matthews at gmail.com
Mon Nov 13 05:35:35 UTC 2017

I installed letsencrypt  and generated a certificate.

Even with this certificate, I got the same error. The error went away
when I changed the connection to "TLS" from "TLS (Accept All

I wonder if the root problem was that the mail app on my phone won't
accept newer certificates unless it can validate them fully?


On Sun, Nov 12, 2017 at 2:28 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:
> Use a publicly-trusted certification authority, such as Let's Encrypt.
> The problem is from the remote side (it's sending the alert that it
> does not recognize your certificate issuer).
> -Kyle H
> On Sun, Nov 12, 2017 at 7:47 AM, Simon Matthews
> <simon.d.matthews at gmail.com> wrote:
>> On Sun, Nov 12, 2017 at 4:55 AM, Jan Just Keijser <janjust at nikhef.nl> wrote:
>>> Hi,
>>> On 12/11/17 05:39, Simon Matthews wrote:
>>>> I have generated a new certificate for my CentOS 6/postfix server, and
>>>> it seems to work with most clients, but when I try to send email using
>>>> tls from my Android device, it always fails.
>>>> In my postfix log, I see:
>>>> warning: TLS library problem: 13671:error:14094416:SSL
>>>> routines:SSL3_READ_BYTES:sslv3 alert certificate
>>>> unknown:s3_pkt.c:1275:SSL alert number 46:
>>>> I get the same message when using the same new certificate with
>>>> dovecot, so I don't think it is a postfix issue.
>>>> To generate the certificate, I used the following commands:
>>>> openssl genrsa -out MatthewsCA2017.key 2048
>>>> openssl genrsa -des3 -out MatthewsCA2017.key 2048
>>>> openssl req -x509 -new -nodes -key MatthewsCA2017.key -sha256 -days
>>>> 3000 -out MatthewsCA2017.pem
>>>> openssl genrsa -out smtp.matthews-family.org.uk.key 2048
>>>> openssl req -new -key smtp.matthews-family.org.uk.key -out
>>>> smtp.matthews-family.org.uk.csr
>>>> openssl x509 -req -in smtp.matthews-family.org.uk.csr -CA
>>>> MatthewsCA2017.pem -CAkey MatthewsCA2017.key -CAcreateserial -out
>>>> smtp.matthews-family.org.uk.crt -days 3000 -sha256
>>>> Any ideas on what might be wrong?
>>> you seem to have generated your own (new) CA and server certificate; is this
>>> CA (public) cert installed in postfix correctly. More importantly, is this
>>> new CA distributed to all devices?
>>> An alert 46 usually hints at SSL3_AD_CERTIFICATE_UNKNOWN
>> In my Android device, I am using the option "TLS (Accept all
>> certificates)" which was working with my prior certificate. I built a
>> new CA and certificate because Microsoft/Hotmail would not send email
>> to my server because of the use of MD5 in the certificate chain.
>> In the postfix main.cf, I have:
>> smtpd_tls_CAfile =  /etc/ssl/MatthewsCA2017.pem
>> The file exists:
>> # ls /etc/ssl/MatthewsCA2017.pem
>> /etc/ssl/MatthewsCA2017.pem
>> This is CentOS 6 VM.
>> Is there anything else I should do to install the certificates? I
>> notice that the dovecot configuration doesn't explicitly define the CA
>> certificate location, so perhaps I have missed something?
>> Simon
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list