On 2023-12-29 16:47, Andrei Borzenkov wrote:
On 29.12.2023 15:30, Carlos E. R. wrote:
I would learn How to do it, if someone points me to a "how to create CA and certificates for dovecot that makes Thunderbird happy, for dummies".
The dummies part is important.
Sorry, I do not know such document. Certificate management is complex, and making guide which is correct, reasonably complete and suitable for complete dummies is probably quite challenging task by itself.
Togan posted a nice link, but at some point I got lost. For instance: The certificate is then sent to the issuer, and if he approves the request a certificate should be sent back. Issuer? Who is the issuer? It is only me. I can not send anything to anyone. You will probably laugh, but a document that tries to be easy does not end being easy. (The word "Issuer" is not defined prior to its first occurrence). So, forget it.
Anyway, I tried and could not reproduce your problem. I setup dovecot ("zypper in dovecot", generated self-signed certificate using the same command I showed, that's all) on Leap 15.4. I configured TB 115.5.0 to use it with IMAP in TLS mode. TB asked me if I wanted to trust this certificate and entered exception in cert_override.txt. I then replaced key/certificate pair on dovecot with new one and restarted dovecot. When updating folders TB popped up the same question and updated cert_override.txt. So as far as I can tell it works as expected.
Ok, thanks for testing. But my TB never asks. Tried with two TB on two computers.
If you can describe conditions which lead to your issue, I may try to dig further. But so far I do not have anything to begin with.
An update led to the issue. It was working, and one day it was not. Not my doing.
The format of the cert_override.txt is pretty trivial and can be generated manually if necessary.
Huh, not that trivial. I searched, and posted several links I found about it. There is a program somewhere to generate the lines. I just had an idea. Create a new Thunderbird profile with a single local account on my dovecot. YES! The wizard asks me to instantly add an exception (for telcontar.valinor:143). If I ask to "get certificate", it stalls and everything greys out. I have to cancel and try again, and this time say "confirm exception". I can see the "cert_override.txt". I will copy paste the line to the main profile, while it is stopped, then start it. I have to save this post and retake later. [...] Doesn't work. The file "cert_override.txt" has the line for "telcontar.valinor", but Settings/Manage Certificates doesn't, and I still can not open mails in my local dovecot. YAGGGH! I think that what is missing is that the certificate has to be imported into "cert9.db" file. (Can't import the certificate, it can only do from some https:// address) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)