1

Topic: apache error

==== Required information ====
- iRedMail version: 0.8.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Linux/BSD distribution name and version: debian/squeeze
- Related log if you're reporting an issue:
====

Hello,

I am getting the following warning when apache is restarted. I have changed the server hostname to mx.mydomain.org recently. I am using a self signed certificate now.(Didn't get it from the third party). Can I recreate the SSL certificate to resolve this ? What do you suggest ? Thanks.

[Sun Jun 02 16:34:50 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jun 02 16:34:50 2013] [warn] RSA server certificate CommonName (CN) `mydomain.org' does NOT match server name!?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: apache error

Have a look in the installation package of iRedMail - file generate_ssl_keys.sh

3 (edited by aniyan.rajan6 2013-06-04 01:25:06)

Re: apache error

I have created the new certificates and copied the new files to the appropriate folder. Then I restarted the apache. But still the error.log shows the following:

Please help. Thanks.

Mon Jun 03 17:18:11 2013] [notice] caught SIGTERM, shutting down
[Mon Jun 03 17:18:12 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Jun 03 17:18:12 2013] [warn] RSA server certificate CommonName (CN) `mx.mydomain.org' does NOT match server name!?
[Mon Jun 03 17:18:13 2013] [notice] ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured.
[Mon Jun 03 17:18:13 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Jun 03 17:18:13 2013] [warn] RSA server certificate CommonName (CN) `mx.mydomain.org' does NOT match server name!?
[Mon Jun 03 17:18:14 2013] [notice] Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 configured -- resuming normal operations

4

Re: apache error

From the log it seems your server doesn't think it's name is 'mx.mydomain.org' / doublecheck the /etc/hosts
Also you can explicitly set the server name with ServerName apache directive...

5

Re: apache error

camel1cz wrote:

From the log it seems your server doesn't think it's name is 'mx.mydomain.org' / doublecheck the /etc/hosts
Also you can explicitly set the server name with ServerName apache directive...

I have changed the ServerName from localhost to 'mx.mydomain.org' and now the error.log shows the following. I think I don't need a CA Certificate, as I am using a self-signed certificate. Am I correct ?


[Tue Jun 04 02:02:08 2013] [notice] caught SIGTERM, shutting down
[Tue Jun 04 02:02:09 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 04 02:02:10 2013] [notice] ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured.
[Tue Jun 04 02:02:10 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 04 02:02:11 2013] [notice] Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Pyth

6

Re: apache error

Sorry, you need also to regenerate the snakeoil certificate and point apache to it... od Debian:

make-ssl-cert generate-default-snakeoil

(possibly you need to move from the way the old files)

It will create /etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key

In apache config:

SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

7

Re: apache error

I created the new snakeoil certificates. But it is still giving the following, when apache is restarted. The snakeoil's certificates are specified by default in the file: /etc/apache2/sites-available/default-ssl.2013.04.17.13.39.46

And the iRedMail_CA.pem and iRedMail.key are specified in /etc/apache2/sites-available/default-ssl.

[Tue Jun 04 09:43:50 2013] [notice] caught SIGTERM, shutting down
[Tue Jun 04 09:43:51 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 04 09:43:52 2013] [notice] ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured.
[Tue Jun 04 09:43:52 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 04 09:43:53 2013] [notice] Apache/2.2.16 (Debian) mod_ssl/2.2.16 OpenSSL/0.9.8o mod_wsgi/3.3 Python/2.6.6 configured -- resuming normal operations

8

Re: apache error

You need to put the snakeoil certs into /etc/apache2/sites-available/default-ssl - the file with date in name is just backup and is not used...

9 (edited by aniyan.rajan6 2013-06-04 19:10:17)

Re: apache error

camel1cz wrote:

You need to put the snakeoil certs into /etc/apache2/sites-available/default-ssl - the file with date in name is just backup and is not used...

But  SSLCertificateFile and SSLCertificateKeyFile are already used in default-ssl. They are used as:

        SSLCertificateFile /etc/ssl/certs/iRedMail_CA.pem
        SSLCertificateKeyFile /etc/ssl/private/iRedMail.key

iRedMail_CA.pem and iRedMail.key are not referred anywhere else.

10

Re: apache error

You need to edit the default-ssl file and replace the references to iRedMail certificates with the snakeoil ones...

The iRedMail certificates belongs to the SSLCACertificate parameters (which you don't need to set in case you don't use client certificate authentication).

11

Re: apache error

camel1cz wrote:

You need to edit the default-ssl file and replace the references to iRedMail certificates with the snakeoil ones...

The iRedMail certificates belongs to the SSLCACertificate parameters (which you don't need to set in case you don't use client certificate authentication).

I replaced the iRedmail certificates with the snakeoil certificates for the SSLCertificateFile and SSLCertificateKeyFile. Now the problem is solved. Thanks for your help.

(which you don't need to set in case you don't use client certificate authentication)

Do you mean I have to use the iRedmail certificates (in the SSLCACertificate parameter), only if I use a trusted SSL certificate from the thirdparty like InstantSSL ? Please clarify.

12

Re: apache error

aniyan.rajan6 wrote:

Do you mean I have to use the iRedmail certificates (in the SSLCACertificate parameter), only if I use a trusted SSL certificate from the thirdparty like InstantSSL ? Please clarify.

You need the SSLCA* parameters only if your clients authenticate themself with SSL certificate instead of usual user/password login.

13 (edited by aniyan.rajan6 2013-06-04 19:56:03)

Re: apache error

camel1cz wrote:

You need the SSLCA* parameters only if your clients authenticate themself with SSL certificate instead of usual user/password login.

okay, I understand. So even if I get the trusted SSL certificate from a thirdparty - just to use the https, still I don't need to use the SSLCA* parameters and the iRedmail Certificates.  I can make it working with snakeoil certificates.  Am I correct ?

14

Re: apache error

Yes, correct

15

Re: apache error

Now apache is okay, But I found that the mailserver is still using the iRedMail_CA certificates. Is this fine or do I have to change that also to snakeoil ? The certificates used by the apache and the mailserver are different now. Is that okay ?

Thanks.

The following are the places that I found in the /etc, where iRedMail_CA certificates are still used.

/etc# grep -r -s iRedMail_CA.pem *
dovecot/dovecot.conf:ssl_cert_file = /etc/ssl/certs/iRedMail_CA.pem
dovecot/dovecot.conf:ssl_ca_file = /etc/ssl/certs/iRedMail_CA.pem
postfix/main.cf:smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
postfix/main.cf:smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem

16

Re: apache error

Of course you CAN and probably should change also the certificates for dovecot and/or postfix, but you need to change the ssl_key (dovecot) and smtpd_tls_key_file (postfix) options. The CA options pointing to iRedMail_CA.pem are correct.

17

Re: apache error

camel1cz wrote:

Of course you CAN and probably should change also the certificates for dovecot and/or postfix,  The CA options pointing to iRedMail_CA.pem are correct.

It is confusing.

Is the current certificate okay for the postfix and dovecot ? There are No Errors because of the current certificate. But my doubt came just because I found the word 'CA' when I grep and also Thunderbird is getting a different certificate (different from apache's certificate). So is it necessary that I have to change ? Please clarify.

Thanks.

18

Re: apache error

Read something about cryptography and it'll be clear.

CA stands for certificate authority - it's certificate, used to issue other certificates (either client certificates to replace login/password authentication or application certificates used to encrypt communication with clients).

Using the script from install, you recreated the CA key with different hostname, then you created new snakeoil certificate for apache...

For the dovecot and postfix is valid the same statement as I wrote about the *CA* certificate options in apache / there is no need to set them while you don't use the client authentication with client certificates (not login/password).

Futher reading eg:
http://en.wikipedia.org/wiki/Certificate_authority
http://wiki.dovecot.org/SSL/DovecotConfiguration