1 (edited by m.krzaczek 2017-10-28 03:06:12)

Topic: certificate issue

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 097
- Linux/BSD distribution name and version: centos
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap
- Web server (Apache or Nginx):ap
- Manage mail accounts with iRedAdmin-Pro?n
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

When I try to test my ssl certificat from outside "ssl internet Tools" it shows that this certificat has no root cert. It is problem for me. Gmail, type app - android clients say that my cerificat is "wrong".

when
openssl s_client -showcerts -connect mail.xxx.pl:993
it shows 3 ---begin/end sections,  on the bottom is written:
Start Time: 1509098608
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.



when
openssl s_client -showcerts -connect mail.xxx.pl:443
it shows only one ---begin/end section  and on the bottom"

Start Time: 1509098951
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

it shows only one ---begin/end section


what is wrong?

I made one *crt file in this way:
cat my_cer.cer chain.cer  >  iRedMail.crt


When I try to test my ssl certificat from outside "ssl internet Tools" it shows that this certificat has no root cert. It is problem for me. Gmail, type app - android clients say that my cerificat is "wrong".

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: certificate issue

You have to check whether you're using correct ssl cert and key files.

3 (edited by m.krzaczek 2017-10-29 21:47:00)

Re: certificate issue

Hi, I copied again from my provider the content od certicates:
my private key,
my certificate,
ROOT/Intermediate CA

I made new files with names acording to standard settings in main.cf :

smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/ iRedMail.crt

in iRedMail.key is my private  key
in iRedMail.crt are:
combined cert in order: first is my certificat, then root chain
like here:
-----BEGIN CERTIFICATE-----
my cert content
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root content
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root content
-----END CERTIFICATE-----


then server rebooted.
I check with ssl checker from internet  and I get info "no root cert.."


Moreover I uncommented
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
and put here the content of "ROOT/Intermediate CA" copied from provider ... rebooted, and still problem.

Provider says I have no CA root certificate installed sad

No idea, please advice

4 (edited by m.krzaczek 2017-10-30 00:17:28)

Re: certificate issue

[root@mail ~]# openssl s_client -CAfile /etc/pki/tls/certs/iRedMail.crt -quiet -connect mail.xxxx.pl:993


depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.


when I check i see the comined cert has no root sad

5

Re: certificate issue

the command without -quiet:

root@mail ~]# openssl s_client -CAfile /etc/pki/tls/certs/iRedMail.crt -connect mail.xxxxx.pl:993


CONNECTED(00000003)

depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Provided by DOMENY.PL sp. z o.o./OU=Domeny.pl SuperFAST SSL/CN=mail.xxxxl.pl
   i:/C=PL/ST=Ma\xC5\x82opolskie/L=Krak\xC3\xB3w/O=DOMENY.PL sp. z o.o/CN=DOMENY SSL DV Certification Authority
1 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=PL/ST=Ma\xC5\x82opolskie/L=Krak\xC3\xB3w/O=DOMENY.PL sp. z o.o/CN=DOMENY SSL DV Certification Authority
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority

6 (edited by m.krzaczek 2017-10-30 00:44:37)

Re: certificate issue

Strange
the same cert files on the old serwer WORKED good!!!!
they where named in difrent way on the old server:

smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem

after coping to new machine, changing names acording to main.cf THEY DONT WORK.

on the old server the same command, seems to be ok:

[root@mail ~]# openssl s_client -CAfile /etc/pki/tls/certs/iRedMail_CA.pem -quiet -connect localhost:993
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
verify return:1
depth=1 /C=PL/ST=Ma\xC5\x82opolskie/L=Krak\xC3\xB3w/O=DOMENY.PL sp. z o.o/CN=DOMENY SSL DV Certification Authority
verify return:1
depth=0 /OU=Domain Control Validated/OU=Provided by DOMENY.PL sp. z o.o./OU=Domeny.pl SuperFAST SSL/CN=mail.xxxx.pl
verify return:1
* OK Dovecot ready.

7

Re: certificate issue

read permission on both servers:
-rw-r--r--  1 root root   6060 Mar  2  2017 iRedMail.crt

8

Re: certificate issue

well, the problem isn't in files, they are the same on both servers . Please, any idea?

9

Re: certificate issue

when I test on a new server, with CAfile, CApath parameter, or without, i get different results:

1 command
[root@mail certs]# openssl s_client -quiet -connect localhost:995
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = PL, ST = Ma\C5\82opolskie, L = Krak\C3\B3w, O = DOMENY.PL sp. z o.o, CN = DOMENY SSL DV Certification Authority
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.xxxxl.pl
verify return:1
+OK Dovecot ready.

2 command
[root@mail certs]# openssl s_client -CApath /etc/pki/tls/certs/ -quiet -connect localhost:995
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
+OK Dovecot ready.


3 command
[root@mail certs]# openssl s_client -CAfile /etc/pki/tls/certs/iRedMail.crt -quiet -connect localhost:995
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
+OK Dovecot ready.

10

Re: certificate issue

m.krzaczek wrote:

read permission on both servers:
-rw-r--r--  1 root root   6060 Mar  2  2017 iRedMail.crt

What's the permission of private key file? Also parent directories of both cert/key files?

11

Re: certificate issue

thank you for reply:

the old server:

drwxr-xr-x 2 root root 4096 paĹş 26 21:00 certs
drwxr-xr-x 2 root root 4096 mar  2  2017 private
-rw-r--r-- 1 root root 1704 mar  2  2017 iRedMail.key

the new one:

drwxr-xr-x   2 root root     26 Oct 30 06:46 certs
drwxr-xr-x   2 root root     26 Oct 29 10:42 private
-rw-r--r--  1 root root 1703 Oct 29 09:44 iRedMail.key

it seems the same

12 (edited by m.krzaczek 2017-10-31 12:38:08)

Re: certificate issue

Realy no idea, nobody?

maybe opensll tool works in different ways on those servers, maybe it is wrong way I went searching...

Fact is... it looks like this from http://how2ssl.com/certificate_checker/
this message is my problem: Unverified certificate
it shows 3 combined certs from iReadMail.crt


mail.XXXXX.pl
Domeny.pl SuperFAST SSL
Signed By:
DOMENY SSL DV Certification Authority
DOMENY.PL sp. z o.o

Certificate date is valid
Unverified certificate !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgIQCuDH+0zUttyTQNRZ8OHkXTANBgkqhkiG9w0BAQsFADCB
bla bla
-----END CERTIFICATE-----


USERTrust RSA Certification Authority
The USERTRUST Network
Jersey City
New Jersey
US
Signed By:
AddTrust External CA Root
AddTrust AB

Certificate date is valid
Verified by certificate bundle



DOMENY SSL DV Certification Authority
DOMENY.PL sp. z o.o
Krak\xC3\xB3w
Ma\xC5\x82opolskie
PL
Signed By:
USERTrust RSA Certification Authority
The USERTRUST Network



from https://www.sslchecker.com/sslchecker
i have info

Vendor signed: NO, SSL is not trusted

13

Re: certificate issue

Is it possible for you to reissue the ssl cert? it seems you're using wrong ssl cert/key.

14 (edited by m.krzaczek 2017-11-01 19:33:43)

Re: certificate issue

thank, we are sill in the same place sad
first I check key/cert pair on the issuer client panel - they are good.
then second time I copied key and comined cert to server,

port 933 looks ok, but 587 and 443 not. sad

[root@mail ~]# openssl s_client -quiet -connect localhost:993 -showcerts
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = PL, ST = Ma\C5\82opolskie, L = Krak\C3\B3w, O = DOMENY.PL sp. z o.o, CN = DOMENY SSL DV Certification Authority
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.xxxx.pl
verify return:1
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
^C
[root@mail ~]# openssl s_client -quiet -connect localhost:443 -showcerts
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.xxxx.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.xxxxx.pl
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = Provided by DOMENY.PL sp. z o.o., OU = Domeny.pl SuperFAST SSL, CN = mail.xxxx.pl
verify error:num=21:unable to verify the first certificate
verify return:1

[root@mail ~]# openssl s_client -quiet -connect localhost:587 -showcerts
140014202136480:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:


from internet my roundcube https://mail.xxxx.pl appearas as safe.
from internet, testing mai.xxxx.pl:587 shows my  "router: cert sad


???????

15

Re: certificate issue

FOR 587 port test from outside:
(cyberoam is my router)

cert issuer

Witryna:    mail.xxx.pl
Numer seryjny:    0BE64A70
Algorytm podpisu:    SHA-1 z RSA
Długość klucza:    1024-bit
Wystawca certyfikatu:    Cyberoam SSL CA


cert issuer II
Wystawiony dla:    Cyberoam SSL CA
Nazwa firmy:    Elitecore
Lokalizacja:    Ahmedabad, Gujarat, IN
Wystawiony przez:    Cyberoam SSL CA


cert issuer I
Wystawiony dla:    Cyberoam SSL CA
Nazwa firmy:    Elitecore
Lokalizacja:    Ahmedabad, Gujarat, IN

16

Re: certificate issue

for example
https://certyfikatyssl.pl/ssl-tools/che … ficate.htm
and smtp.interia.pl:587
is ok,

but for my server shows shit

17

Re: certificate issue

m.krzaczek wrote:

[root@mail ~]# openssl s_client -quiet -connect localhost:587 -showcerts
140014202136480:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:

When using TLS you need to initiate STARTTLS - otherwise you won't be able to establish a connection.
Please add the "-starttls" parameter to the command and retry.
e.g.
openssl s_client -connect localhost:587 -starttls smtp