Dovecot SSL Handshake returns "unknown ca"


I have a problem connecting the mail app to my mail environment (dovecot).

System A (Nextcloud Server)
fresh installed Nextcloud 24.0.2

System B (Mail Server)
PHP 5.6.40-0+deb8u12
Postfix 2.11.3-1+deb8u2
Dovecot 2.2.13-12~deb8u7
Apache 2.4.10-10+deb8u16
Horde Groupware

Both systems work perfect.
IMAPS connections to dovecot with thunderbird, android and the horde webgui work as well.

Now I have updated the certificate store on the nextcloud server with the certificates of the root ca and intermediate ca I am working with.

Testing using OPENSSL from Nextcloud Server to the mail server returns “ok”:

openssl s_client -connect|openssl verify

depth=2 C = US, ST = ID, L = phoenix, O = minion, OU = privat, CN =, emailAddress =
verify return:1
depth=1 C = US, ST = TX, O = dallas, OU = privat, CN =, emailAddress =
verify return:1
depth=0 C = US, ST = NY, O = island, OU = privat, CN =, emailAddress =
verify return:1
stdin: OK

Nevertheless when trying to open the mail folder in Nextcloud, I get this error on the mail server:

Jul 23 00:33:50 mail dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=, lip=, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, session=<geCgbWzkCgAKCgrx>

I did check the apache configuration on the nextcloud server and coded the certificate store to SSL:

SSLCACertificatePath /etc/ssl/certs/
SSLCACertificateFile /etc/ssl/certs/ca-certificates.crt

but the error does not disapear.
anybody out there, who knows, which setting I need to tune?

Good morning,

looks like I found the solution.
I was pointing to the apache, but indeed it is php that tries to connect.
Even so it is written, php uses the system openssl settings, it does not seem to do so.
I have updated those values in php.ini:

curl.cainfo = /etc/ssl/certs/ca-certificates.crt

after restarting apache the mailbox now loads.

thanks for your attention :wink: