1 Topic by das654rbc

  • das654rbc
  • Member
  • Offline
  • Registered: 2024-11-30
  • Posts: 13

Topic: bad certificate: SSL alert number 42

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.1
- Deployed with iRedMail Easy or the downloadable installer? installer
- Linux/BSD distribution name and version: Ubuntu 24.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I encountered a problem with imaps connection thunderbird to Dovecot, here is log:

TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<ZfU6fCco/Z68j4zk>

Found an old topic:
https://forum.iredmail.org/topic17290-t … nnect.html
intcorp said that this is windows workstation issue,
I can say that my win32 Thunderbird client cannot connect to iRedMail via imaps (ssl or starttls)
Self-signed certs were deployed when iRedMail was installed by installer, did not make LetsEncrypt certs yet.
But android client (K9Mail) did connect to server (imaps 993/smtps 465), with same settings.

I make a conclusion that self-signed certs, generated while iRedMail installation, does not fit to Thunderbird.

Please note something about the issue.
Thank you.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 915

Re: bad certificate: SSL alert number 42

self signed certs are never trusted, since they dont have a CA

{42}    bad_certificate
a certificate was corrupt, contained signatures that did not verify

it depends on the client if non trust certs get accepted

In your case, you have 2 options:

1.) get a trusted cert

2.) In Thunderbird:

Tools > Options > Advanced > Certificates
View Certificates -> Servers
Add Exception -> Enter Mail Server -> Get Certificate

2nd is not a good solution since everyone would need to to this, and not everyone uses Thunderbird, i highly recommend to go with solution 1

3 Reply by das654rbc

  • das654rbc
  • Member
  • Offline
  • Registered: 2024-11-30
  • Posts: 13

Re: bad certificate: SSL alert number 42

Thank you, Cthulhu
1st option did tre trick.

Cthulhu wrote:

self signed certs are never trusted, since they dont have a CA

{42}    bad_certificate
a certificate was corrupt, contained signatures that did not verify

it depends on the client if non trust certs get accepted

In your case, you have 2 options:

1.) get a trusted cert

2.) In Thunderbird:

Tools > Options > Advanced > Certificates
View Certificates -> Servers
Add Exception -> Enter Mail Server -> Get Certificate

2nd is not a good solution since everyone would need to to this, and not everyone uses Thunderbird, i highly recommend to go with solution 1