Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 14th January 2008, 16:46
ghall ghall is offline
Member
 
Join Date: Nov 2006
Posts: 43
Thanks: 1
Thanked 0 Times in 0 Posts
Default Another Certificate Expired Thread Fedora 6 LAMP

Hi Falko or Till

I installed ISPConfig using the Fedora 6 LAMP instructions.

I've had ISPConfig running for a year and it shows because I am just now getting a certificate expired nag from Thunderbird. It says:

mail.server.org is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on 1.11.2008 3:22 PM.

I regenerated the certs via Falko's instructions and rebooted the ISPConfig box but I get the same error in Thunderbird.

When I view the certificate that expired it does not have the same data that I entered when I regenerated the keys. I've looked all over the system for this rogue certificate and am mystified where it could be located. I updated ISPConfig to the latest version this morning hoping that it would give me the cert generation options as if it was a new install but it updated and didn't give me that.

Does anyone have a clue where these expired certificates could be and why I can't use the key generator in ISPConfig SSL area?

Any assistance and a quick response would be very grateful.
Reply With Quote
Sponsored Links
  #2  
Old 15th January 2008, 08:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,034
Thanks: 826
Thanked 5,382 Times in 4,229 Posts
Default

Quote:
why I can't use the key generator in ISPConfig SSL area?
The SSL generator in ISPConfig is for websites (apache) only and not for the pop3 or smtp daemon.

Quote:
I regenerated the certs via Falko's instructions and rebooted the ISPConfig box but I get the same error in Thunderbird.
Do you get the error when you send mail or when you receive mail?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 15th January 2008, 12:04
ghall ghall is offline
Member
 
Join Date: Nov 2006
Posts: 43
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till
The SSL generator in ISPConfig is for websites (apache) only and not for the pop3 or smtp daemon.
I figured that one out when I created a new one.

Quote:
Originally Posted by till
Do you get the error when you send mail or when you receive mail?
I get the warning nag of a certificate expired when I login to get mail. It affected one client from being able to check mail and I also got a few mail cannot be delivered 554 errors when I sent test messages to a friend with aol and yahoo. I used SSL on my security setting and it works fine if I use TLS, if available. I'd like to preserve the SSL security.

There is a certificate that is being used and I think it was generated when I first installed ISPConfig. Where is that one being kept and how do we generate a new certificate for that one?
Reply With Quote
  #4  
Old 15th January 2008, 18:28
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

What POP3 daemon do you use? Is it Dovecot?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 15th January 2008, 18:31
ghall ghall is offline
Member
 
Join Date: Nov 2006
Posts: 43
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko
What POP3 daemon do you use? Is it Dovecot?
Yes. I installed as per the Fedora Core 6 LAMP HOWTO with no deviations.
Reply With Quote
  #6  
Old 15th January 2008, 19:51
ghall ghall is offline
Member
 
Join Date: Nov 2006
Posts: 43
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Here are a few errors from logwatch:

################### Logwatch 7.3 (03/24/06) ####################
Processing Initiated: Tue Jan 15 04:04:57 2008
Date Range Processed: yesterday
( 2008-Jan-14 )
Period is day.
Detail Level of Output: 10
Type of Output: unformatted
Logfiles for Host: mail.server.org
################################################## ################

--------------------- postfix Begin ------------------------

Unrecognized warning:

TLS library problem: 10873:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 11779:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 12022:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 18987:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 19946:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 19947:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
TLS library problem: 19951:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
TLS library problem: 24906:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 24907:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
TLS library problem: 2500:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 26531:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 2746:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 30205:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
TLS library problem: 4742:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)


**Unmatched Entries**

SSL_connect error to exchcentral.sces.org: -1
0E1496500F2: Cannot start TLS: handshake failure
Host offered STARTTLS: [exchcentral.sces.org]

---------------------- postfix End -------------------------
Reply With Quote
  #7  
Old 16th January 2008, 11:01
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

This link might help in creating new certs for Dovecot: https://help.ubuntu.com/7.10/server/...ot-server.html
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #8  
Old 16th January 2008, 15:30
ghall ghall is offline
Member
 
Join Date: Nov 2006
Posts: 43
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by falko
This link might help in creating new certs for Dovecot: https://help.ubuntu.com/7.10/server/...ot-server.html
Thanks. That helps a little. Now I need to know where to put the .cert files.

I need to understand what is going on during the initial ./setup script in STEPS 0-2 when it is generating the custom certificate signed by own CA. Where are those certs and keys being put? Is that creating certs for dovecot? (read: I need explicit commands to copy these files to where they should go)

This is the only generating script that did not let me change the expiration of the cert from 365 to 3650.

Did the ./install script change since v2.2.8?
Reply With Quote
  #9  
Old 17th January 2008, 16:43
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,741 Times in 2,575 Posts
Default

Quote:
Originally Posted by ghall
Thanks. That helps a little. Now I need to know where to put the .cert files.
You can put them whereever you want, as long as you specify the correct paths in your dovecot.conf file.

Quote:
Originally Posted by ghall
Did the ./install script change since v2.2.8?
A little bit - it doesn't generate a new cert when you update ISPConfig, but continues to use the old one instead.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 17th January 2008, 19:01
ghall ghall is offline
Member
 
Join Date: Nov 2006
Posts: 43
Thanks: 1
Thanked 0 Times in 0 Posts
 
Default

Quote:
Originally Posted by falko
You can put them whereever you want, as long as you specify the correct paths in your dovecot.conf file.
The /etc/dovecot.conf file is mostly remarked out but it showed me where it looks for it's certs;

#ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
#ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

Quote:
Originally Posted by falko
A little bit - it doesn't generate a new cert when you update ISPConfig, but continues to use the old one instead.
Good to know and I'm glad it didn't.

Now that I found which program and where the keys are I followed these instructions:

Generating a Certificate Signing Request (CSR)


To generate the Certificate Signing Request (CSR), you should create your own key. You can run the following command from a terminal prompt to create the key:

Code:
openssl genrsa -out server.key 1024
I took the -des3 out because I did not want to enter the passphrase every time I started the web server. The server key is generated and stored in server.key file.

To create the CSR, run the following command at a terminal prompt:

Code:
openssl req -new -key server.key -out server.csr
It will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. You can submit this CSR file to a CA for processing. The CAN will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.

Creating a Self-Signed Certificate

To create the self-signed certificate, run the following command at a terminal prompt:

Code:
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Your certificate will be created and it will be stored in the server.crt file.

Installing the Certificate

I copied the server.crt to /etc/pki/dovecot/certs/ and renamed it dovecot.pem and

I copied the server.key to /etc/pki/dovecot/private/ and renamed it dovecot.pem

Restarted dovecot and postfix and it seems to have fixed the problem.

Thanks Till and Falko.

Last edited by ghall; 17th January 2008 at 19:07.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
LAMP System Fedora Core 6 MySQL start error gavino HOWTO-Related Questions 13 21st November 2007 19:13
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59
Question - LAMP System With Fedora hooligan HOWTO-Related Questions 3 4th August 2007 11:19
Installing A LAMP System With Fedora Core 6 -Quota wont install rh-penguin HOWTO-Related Questions 3 30th January 2007 15:27
Fedora 6 LAMP and How To Configure Dynamic DNS Roger Huston HOWTO-Related Questions 3 16th January 2007 20:07


All times are GMT +2. The time now is 02:00.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.