Another Certificate Expired Thread Fedora 6 LAMP

[ghall]

Hi Falko or Till

I installed ISPConfig using the Fedora 6 LAMP instructions.

I've had ISPConfig running for a year and it shows because I am just now getting a certificate expired nag from Thunderbird. It says:

mail.server.org is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on 1.11.2008 3:22 PM.

I regenerated the certs via Falko's instructions and rebooted the ISPConfig box but I get the same error in Thunderbird.

When I view the certificate that expired it does not have the same data that I entered when I regenerated the keys. I've looked all over the system for this rogue certificate and am mystified where it could be located. I updated ISPConfig to the latest version this morning hoping that it would give me the cert generation options as if it was a new install but it updated and didn't give me that.

Does anyone have a clue where these expired certificates could be and why I can't use the key generator in ISPConfig SSL area?

Any assistance and a quick response would be very grateful.

[till]

Quote:

why I can't use the key generator in ISPConfig SSL area?

The SSL generator in ISPConfig is for websites (apache) only and not for the pop3 or smtp daemon.

Quote:

I regenerated the certs via Falko's instructions and rebooted the ISPConfig box but I get the same error in Thunderbird.

Do you get the error when you send mail or when you receive mail?

[ghall]

Quote:

Originally Posted by till

The SSL generator in ISPConfig is for websites (apache) only and not for the pop3 or smtp daemon.

I figured that one out when I created a new one.

Quote:

Originally Posted by till

Do you get the error when you send mail or when you receive mail?

I get the warning nag of a certificate expired when I login to get mail. It affected one client from being able to check mail and I also got a few mail cannot be delivered 554 errors when I sent test messages to a friend with aol and yahoo. I used SSL on my security setting and it works fine if I use TLS, if available. I'd like to preserve the SSL security.

There is a certificate that is being used and I think it was generated when I first installed ISPConfig. Where is that one being kept and how do we generate a new certificate for that one?

[falko]

What POP3 daemon do you use? Is it Dovecot?

[ghall]

Quote:

Originally Posted by falko

What POP3 daemon do you use? Is it Dovecot?

Yes. I installed as per the Fedora Core 6 LAMP HOWTO with no deviations.

[ghall]

Here are a few errors from logwatch:

################### Logwatch 7.3 (03/24/06) ####################
Processing Initiated: Tue Jan 15 04:04:57 2008
Date Range Processed: yesterday
( 2008-Jan-14 )
Period is day.
Detail Level of Output: 10
Type of Output: unformatted
Logfiles for Host: mail.server.org
################################################## ################

--------------------- postfix Begin ------------------------

Unrecognized warning:

TLS library problem: 10873:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 11779:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 12022:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 18987:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 19946:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 19947:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
TLS library problem: 19951:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
TLS library problem: 24906:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 24907:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
TLS library problem: 2500:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 26531:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 2746:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
TLS library problem: 30205:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
TLS library problem: 4742:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)


**Unmatched Entries**

SSL_connect error to exchcentral.sces.org: -1
0E1496500F2: Cannot start TLS: handshake failure
Host offered STARTTLS: [exchcentral.sces.org]

---------------------- postfix End -------------------------

[falko]

This link might help in creating new certs for Dovecot: https://help.ubuntu.com/7.10/server/...ot-server.html

[ghall]

Quote:

Originally Posted by falko

This link might help in creating new certs for Dovecot: https://help.ubuntu.com/7.10/server/...ot-server.html

Thanks. That helps a little. Now I need to know where to put the .cert files.

I need to understand what is going on during the initial ./setup script in STEPS 0-2 when it is generating the custom certificate signed by own CA. Where are those certs and keys being put? Is that creating certs for dovecot? (read: I need explicit commands to copy these files to where they should go)

This is the only generating script that did not let me change the expiration of the cert from 365 to 3650.

Did the ./install script change since v2.2.8?

[falko]

Quote:

Originally Posted by ghall

Thanks. That helps a little. Now I need to know where to put the .cert files.

You can put them whereever you want, as long as you specify the correct paths in your dovecot.conf file.

Quote:

Originally Posted by ghall

Did the ./install script change since v2.2.8?

A little bit - it doesn't generate a new cert when you update ISPConfig, but continues to use the old one instead.

[ghall]

Quote:

Originally Posted by falko

You can put them whereever you want, as long as you specify the correct paths in your dovecot.conf file.

The /etc/dovecot.conf file is mostly remarked out but it showed me where it looks for it's certs;

#ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
#ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

Quote:

Originally Posted by falko

A little bit - it doesn't generate a new cert when you update ISPConfig, but continues to use the old one instead.

Good to know and I'm glad it didn't.

Now that I found which program and where the keys are I followed these instructions:

Generating a Certificate Signing Request (CSR)


To generate the Certificate Signing Request (CSR), you should create your own key. You can run the following command from a terminal prompt to create the key:

Code:

openssl genrsa -out server.key 1024

I took the -des3 out because I did not want to enter the passphrase every time I started the web server. The server key is generated and stored in server.key file.

To create the CSR, run the following command at a terminal prompt:

Code:

openssl req -new -key server.key -out server.csr

It will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. You can submit this CSR file to a CA for processing. The CAN will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.

Creating a Self-Signed Certificate

To create the self-signed certificate, run the following command at a terminal prompt:

Code:

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Your certificate will be created and it will be stored in the server.crt file.

Installing the Certificate

I copied the server.crt to /etc/pki/dovecot/certs/ and renamed it dovecot.pem and

I copied the server.key to /etc/pki/dovecot/private/ and renamed it dovecot.pem

Restarted dovecot and postfix and it seems to have fixed the problem.

Thanks Till and Falko.