Stacked error: error:14094418:SSL ... alert number 48

[ajhlinuxuser]

Hi there,

I've been reading and I think I know what the problem is.  I just want to confirm it with the community since there isn't a lot of search results for this error.

On the system running Roundcube, when I try to connect to an IMAP server via SSL, I get the message "Connection to Storage Server Failed" and in /var/log/roundcube/errors, I see:

Code Select Expand

IMAP Error: Login failed for <user> from 1.2.3.4. Could not connect to ssl://<remote_imap_server>:993: Unknown reason in /usr/share/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /?_task=login?_task=login&_action=login)

On the remote end, I see in /var/log/mail.err:

Code Select Expand

Feb  3 21:53:24 <remote_imap_server> dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48

Here on the forum, I searched for "stacked error" and only got one result:
https://www.roundcubeforum.net/index.php/topic,23669.msg64175.html#msg64175
   -it suggests setting the following (and commenting out extended settings for:

Code Select Expand

$config['imap_conn_options'] = null;
$config['smtp_conn_options'] = null;

I found these to already be set in the defaults.inc.php file, but copied them over to config.inc.php to be sure.  This does not solve the issue.

From the reading I have done, it looks like the issue is a self-signed certificate on the IMAP server.  With Thunderbird on my PC, I am able to override that, but it looks like I will need to learn how to force Roundcube to override this, or if not possible, I will need to create my own Certificate Authority and sign the cert on my email server.  But if that isn't the problem, I will go nuts because I won't be able to tell if I signed the certs correctly (I am not familiar with the certificate creation tools).  Please let me know if that is indeed what I need to do to fix this error.  Thanks.


Roundcube version info:

Code Select Expand

$ apt-cache policy roundcube
roundcube:
  Installed: 1.2~beta+dfsg.1-0ubuntu1
  Candidate: 1.2~beta+dfsg.1-0ubuntu1
  Version table:
*** 1.2~beta+dfsg.1-0ubuntu1 500
        500 http://mirrors.linode.com/ubuntu xenial/universe amd64 Packages
        500 http://mirrors.linode.com/ubuntu xenial/universe i386 Packages
        100 /var/lib/dpkg/status

[JohnDoh]

Because you are using a self-signed cert you need to set imap/smtp_conn_options to either disable peer verification or provide the CA file so the cert can be verified.

[ajhlinuxuser]

Hi,

thank you for confirming this.  I am relieved that I know the issue.  For reference to anyone else struggling with this error, I copied the code from default.inc.php and saved it in config.inc.php as such:

Code Select Expand


$config['imap_conn_options'] = array(
        'ssl' => array(
                'verify_peer' => false,
//              'verify_depth' => 3,
//              'cafile'       => '/etc/openssl/certs/ca.crt',
                ),
);


It turns out that the 'null' setting actually uses defaults that set verify_peer to true.

Roundcube is now working, and once I get a certificate authority file ready I can re-enable peer verification to be more secure.

SOLVED.  (I don't know the convention for marking threads as solved here, it looks like a moderator just moves then to another subforum)