Dovecot and Thunderbird, bad certificate ssl alert number 42 errors

Abram Hindle


Do you struggle to keep a dovecot IMAP server afloat in this and age?

Do you like using Thunderbird?

Did you just change IP addresses, update a certificate, or upgrade the OS that your dovecot imap server ran on?

Do you see errors in your syslog or dovecot log like this?

Sep  1 04:22:46 fragile5 dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 0 secs): user=<>, rip=, lip=, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<BflAg0QEpOIKCgwO>

Too long didn’t read?

Long story, not short

What this error means is that during the SSL handshake there was an error. I assume it is client side. And I assume it is thunderbird’s fault.

The phrase “bad certificate” should give you a hint at what is going on. It doesn’t mean your certificate is bad. It means that your certificate is bad for the given configuration. Your certificate could still be bad. Bad configs include things like connecting to a host where the CN and the hostname doesn’t match, or the certificate is expired.

Thunderbird used to be very leniant about certs and self-signed certs, and exceptions could be trivially added. That doesn’t seem to be the case with newer versions, with versions 102 and 115 it seems pretty hard to get those exceptions to work even if you use a valid certificate authority (CA). When I used a valid certificate authority it wouldn’t add exceptions because my certificate was “perfectly valid” and thus did not need an exception. Thanks, I wanted an exception because you wouldn’t let this handshake properly.

I struggled a lot with this problem after an upgrade and what I found worked well for me was to ensure that the certificate authority (CA) for the certificate was added to Thunderbird and that the hostname I was using for the IMAP server matched one of the hostnames in the server’s certificate. So if you read closely you’ll see I needed not 1 but 2 certificates: CA cert and IMAP server cert. I had to tell Thunderbird to trust the CA, and I needed the dovecot IMAP server to have a certificate that would use the same hostname that Thunderbird would use.

My imap server is fragile5, so either the common name of the cert had to be fragile5 or one of the Subject Alternative Names had to be fragile5. To complicate things fragile5 was already in my DNS search path, so I had shortcut it by defining the host in /etc/hosts and have it point to the exact IP I wanted to use for the imap server. I recommend just using DNS normally like a sane sysadmin.

	openssl genrsa -out fragile5CA.key 4096
	openssl req -x509 -new -nodes -key fragile5CA.key \
		-subj "/C=CA/ST=AB/L=EDMONTON/O=dovecotnow/CN=fragile5" \
		-sha256 -days 3650 -out fragile5CA.pem
	openssl req -new -x509 -days 3650 -key fragile5CA.key \
		-subj "/C=CA/ST=AB/L=EDMONTON/O=dovecotnow/CN=fragile5" \
		-out fragile5CA.crt
# v3.ext
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

DNS.1 = fragile5
DNS.2 = fragile.domain.dns
DNS.3 = fragile6
	# Make the key
	$(openssl) genrsa -out fragile5.key 4096
	# Make the certificate request
	openssl req -new -key fragile5.key -out fragile5.csr -subj \
	# Make a certificate
	openssl x509 -req -in fragile5.csr -CA fragile5CA.pem -CAkey \
		fragile5CA.key -CAcreateserial -out fragile5.crt \
		-days 3650 -sha256 -extfile v3.ext
	# Make a certificate
	openssl x509 -req -in fragile5.csr -CA fragile5CA.pem -CAkey \
		fragile5CA.key -CAcreateserial -out fragile5.pem \
		-days 3650 -sha256 -extfile v3.ext

Extra help

	openssl x509 -text -in fragile5CA.crt
	openssl x509 -text -in fragile5.crt

If you find the certificate generation really annoying I have a project called httpsnow that will generate keys for localhost and then you just need to change references to localhost to your CN:

Why did I make this post? So I’d remember how to deal with it for next time.

To avoid hassling your clients with extra setup, use a CA already in the thunderbird CA store and make sure your IMAP server’s CN has an actual and real DNS resolvable name (and make sure that CN is the server name you told your clients to use). Then you won’t have to do anything specific for Thunderbird clients.