Another Certificate Expired Thread Fedora 6 LAMP

Discussion in 'Installation/Configuration' started by ghall, Jan 14, 2008.

  1. ghall

    ghall Member

    Hi Falko or Till

    I installed ISPConfig using the Fedora 6 LAMP instructions.

    I've had ISPConfig running for a year and it shows because I am just now getting a certificate expired nag from Thunderbird. It says:

    mail.server.org is a site that uses a security certificate to encrypt data during transmission, but its certificate expired on 1.11.2008 3:22 PM.

    I regenerated the certs via Falko's instructions and rebooted the ISPConfig box but I get the same error in Thunderbird.

    When I view the certificate that expired it does not have the same data that I entered when I regenerated the keys. I've looked all over the system for this rogue certificate and am mystified where it could be located. I updated ISPConfig to the latest version this morning hoping that it would give me the cert generation options as if it was a new install but it updated and didn't give me that.

    Does anyone have a clue where these expired certificates could be and why I can't use the key generator in ISPConfig SSL area?

    Any assistance and a quick response would be very grateful.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The SSL generator in ISPConfig is for websites (apache) only and not for the pop3 or smtp daemon.

    Do you get the error when you send mail or when you receive mail?
     
  3. ghall

    ghall Member

    I figured that one out when I created a new one.

    I get the warning nag of a certificate expired when I login to get mail. It affected one client from being able to check mail and I also got a few mail cannot be delivered 554 errors when I sent test messages to a friend with aol and yahoo. I used SSL on my security setting and it works fine if I use TLS, if available. I'd like to preserve the SSL security.

    There is a certificate that is being used and I think it was generated when I first installed ISPConfig. Where is that one being kept and how do we generate a new certificate for that one?
     
  4. falko

    falko Super Moderator ISPConfig Developer

    What POP3 daemon do you use? Is it Dovecot?
     
  5. ghall

    ghall Member

    Yes. I installed as per the Fedora Core 6 LAMP HOWTO with no deviations.
     
  6. ghall

    ghall Member

    Here are a few errors from logwatch:

    ################### Logwatch 7.3 (03/24/06) ####################
    Processing Initiated: Tue Jan 15 04:04:57 2008
    Date Range Processed: yesterday
    ( 2008-Jan-14 )
    Period is day.
    Detail Level of Output: 10
    Type of Output: unformatted
    Logfiles for Host: mail.server.org
    ##################################################################

    --------------------- postfix Begin ------------------------

    Unrecognized warning:

    TLS library problem: 10873:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 11779:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 12022:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 18987:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 19946:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 19947:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
    TLS library problem: 19951:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
    TLS library problem: 24906:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 24907:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
    TLS library problem: 2500:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 26531:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 2746:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)
    TLS library problem: 30205:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 2 Time(s)
    TLS library problem: 4742:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1057:SSL alert number 48: : 1 Time(s)


    **Unmatched Entries**

    SSL_connect error to exchcentral.sces.org: -1
    0E1496500F2: Cannot start TLS: handshake failure
    Host offered STARTTLS: [exchcentral.sces.org]

    ---------------------- postfix End -------------------------
     
  7. falko

    falko Super Moderator ISPConfig Developer

  8. ghall

    ghall Member

    Thanks. That helps a little. Now I need to know where to put the .cert files.

    I need to understand what is going on during the initial ./setup script in STEPS 0-2 when it is generating the custom certificate signed by own CA. Where are those certs and keys being put? Is that creating certs for dovecot? (read: I need explicit commands to copy these files to where they should go)

    This is the only generating script that did not let me change the expiration of the cert from 365 to 3650.

    Did the ./install script change since v2.2.8?
     
  9. falko

    falko Super Moderator ISPConfig Developer

    You can put them whereever you want, as long as you specify the correct paths in your dovecot.conf file.

    A little bit - it doesn't generate a new cert when you update ISPConfig, but continues to use the old one instead.
     
  10. ghall

    ghall Member

    The /etc/dovecot.conf file is mostly remarked out but it showed me where it looks for it's certs;

    #ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
    #ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

    Good to know and I'm glad it didn't.

    Now that I found which program and where the keys are I followed these instructions:

    Generating a Certificate Signing Request (CSR)


    To generate the Certificate Signing Request (CSR), you should create your own key. You can run the following command from a terminal prompt to create the key:

    Code:
    openssl genrsa -out server.key 1024
    I took the -des3 out because I did not want to enter the passphrase every time I started the web server. The server key is generated and stored in server.key file.

    To create the CSR, run the following command at a terminal prompt:

    Code:
    openssl req -new -key server.key -out server.csr
    It will prompt you to enter Company Name, Site Name, Email Id, etc. Once you enter all these details, your CSR will be created and it will be stored in the server.csr file. You can submit this CSR file to a CA for processing. The CAN will use this CSR file and issue the certificate. On the other hand, you can create self-signed certificate using this CSR.

    Creating a Self-Signed Certificate

    To create the self-signed certificate, run the following command at a terminal prompt:

    Code:
    openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
    Your certificate will be created and it will be stored in the server.crt file.

    Installing the Certificate

    I copied the server.crt to /etc/pki/dovecot/certs/ and renamed it dovecot.pem and

    I copied the server.key to /etc/pki/dovecot/private/ and renamed it dovecot.pem

    Restarted dovecot and postfix and it seems to have fixed the problem.

    Thanks Till and Falko.
     
    Last edited: Jan 17, 2008

Share This Page