Topic: SSL Certificate problem

[bjennings]

I've been following the installation instructions for an SSL certificate from
http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl.htm

I purchased a certificate from Geotrust Rapid SSL

I Restart the server's
/etc/rc7.d/S86httpd-e-smith restart
/etc/rc7.d/S86httpd-admin restart

I login to https://mail.myserver.k12.mo.us and everything works fine.  I check the certificate and it says that it is valid from June 15 2005 til August 2008, which is ok since I purchased a 26 month certificate.

But if I use outlook or thunderbird I get the error that it could not be verified.  So I issue the command below

# Secure email (SME7 Only)
If your Secure email certificates have not updated automatically, issue a
signal-event post-upgrade
signal-event reboot

Well, then my certificate gets set back to the default server certificate.  So if I go back to https://mail.myserver.k12.mo.us then I get the "accept certificate" message.

Any ideas what to try next?

[crazybob]

I think I can help with part of this.
When you set up for the cert, was the name on the cert "mail.myserver.k12.mo.us", or something like "www.myserver.k12.mo.us"?

If it was the second item, that is the problem. The cert is good for only one name. This has to do with SSL certs and virtual domains in Apache.  Just change the name of both your pop and smtp mail servers in outlook or Tbird to the same as the registered name on the cert, and it should be fine. As far as the cert reverting, I don't know. I am not having that problem, but I did have the first one until I figgured it out.

Bob

[bjennings]

I wish that were the case, but the name on the certificate is mail.myserver.k12.mo.us, and not www.

[crazybob]

Whick OS are you using. I found some issues with win98 and win2k where I needed to install the certs on the windows boxes. I don't beleive I had any problems with Windows XP

Another question. Does Geotrust Rapid SSL use an intermediate certificate also?  I used Starfieldtech, and they do, so I had to do a couple extra steps in the install.

[bjennings]

according to their site, I don't believe they use an intermediate certificate

StarterSSL is a 128 bit single root SSL certificate. RapidSSL.com owns the root used to issue StarterSSL certificates making it a stable SSL offering. StarterSSL is already present in the IE 5.01+, Netscape 4.7+ and Mozilla 1+ browsers and many other new Windows and Mac based browsers. At a very special low price of $49, StarterSSL is an ideal solution for securing websites conducting lite levels of ecommerce.

I used their 30 day evalutation copy and it worked for 10 days on the webmail and with OutlookExpress and Thunderbird.  I think this all came about when I went from RC02 to RC03, but I'm not 100% sure.

[jfarschman]

Hey,

  I've got this problem too.  I'm using a GoDaddy certificate and got it implemented (with the Intermediate cert) using the SSLCertificateChainFile directive in httpd.conf.   Good!!!

  That got everything working in IE and FireFox.

  BUT... still I have the original problem that bjennings reported:

But if I use outlook or thunderbird I get the error that it could not be verified

In Outlook it says "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

Thunderbird is a little less specific.... and remember.... IE and Firefox are fine with this.  So it's like the chain is properly installed.... but the email clients don't like the end result.

[bjennings]

Are you running 7rc3?  If I understand correctly, there is some sort of bug.  I worked on this problem a few days ago and came up with this little solution.  From what I gather, something is causing the certificate to recreate itself on some installations.  

I never used the SSLCertificateChainFile directive.  I followed the instructions from http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl.htm
(which by the way worked wonderfully)

But before I got to the part about "Secure email (SME7 Only)
If your Secure email certificates have not updated automatically, issue a
signal-event post-upgrade
signal-event reboot" (which sounds like what you need), I deleted a couple of scripts.  (well actually backed them up and then deleted them)

I deleted conf-mod_ssl from /etc/cron.daily/conf-mod_ssl and ssl.crt from /etc/e-smith/templates/home/e-smith/ssl.crt

then I did the signal-event post-upgrade and signal-event reboot

Now I can logon to the webmail or use oe/thunderbird and not get the certificate error.

Let me know if this helps you out or not.  I'm sure we are probably not the only two who have had problems with this.

[william_syd]

Refer to tihs link for info..

http://no.longer.valid/phpwiki/index.php/Creating%20SSL%20Certificates

in particular this bit..

Code: [Select]

Put your certificate and key files somewhere safe on the server, and then do:

/sbin/e-smith/config setprop modSSL crt /path/to/certificate

/sbin/e-smith/config setprop modSSL key /path/to/keyfile

/sbin/e-smith/signal-event post-upgrade

/sbin/e-smith/signal-event reboot

The above information came from http://forums.contribs.org/index.php?topic=30320.msg126905#msg126905

If you just over-write the default SME certs then the next time you update and something involving SSL is updated then new default SME certs are created.

The location of these default certs is determined by a database entry. You want to put your certs somewhere else and change the database to point to where you have put your certs. The database entry DOES NOT get changed after an update so your certs will continue to work.

If you want certs to play with, may I suggest www.cacert.org Their root CA is not in browser/email clients yet but one day....

[perelandra]

Hi Jay,

did you find a solution for this problem? Or anyone else?
The scenario looks like mine, and I've got the same "problem".

Thanks for help in advance!

Hey,

  I've got this problem too.  I'm using a GoDaddy certificate and got it implemented (with the Intermediate cert) using the SSLCertificateChainFile directive in httpd.conf.   Good!!!

  That got everything working in IE and FireFox.

  BUT... still I have the original problem that bjennings reported:



In Outlook it says "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

Thunderbird is a little less specific.... and remember.... IE and Firefox are fine with this.  So it's like the chain is properly installed.... but the email clients don't like the end result.

[raem]

perelandra

You have provided very little and quite non specific information, the old "help it doesn't work" syndrome.

If I'm interpreting your problem correctly, you need to tell sme server where to find your new certificate so that the default certificate is not rebuilt on various system events eg signal-event post-upgrade

See this link
http://wiki.contribs.org/Custom_CA_Certificate

and scroll down to where it says:

Then save your CA certificate in a file named ~/cacert/{domain}.crt

    * Copy to final location

cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt
cp {domain}.key /home/e-smith/ssl.key/{domain}.key

    * Configure SME database

config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key

    * and apply the changes

signal-event console-save

[perelandra]

perelandra

You have provided very little and quite non specific information, the old "help it doesn't work" syndrome.

If I'm interpreting your problem correctly, [...]

Hi Ray!

I must admit, that my posting is kind of confusing...

I just quoted the point where Jay tells us about the sucessfull install of a GoDady Certificate and that it ALL works  -  EXCEPT with some Emailclients which do not seem "to like the end result":

In Outlook it says "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

Thunderbird is a little less specific.... and remember.... IE and Firefox are fine with this.  So it's like the chain is properly installed.... but the email clients don't like the end result.

Now,... this is exactly my point, too. And to make it a bit clearer for the readers: I installed a Multiple Domains Cert incl. a chain cert and it works "like a charm" (see: http://forums.contribs.org/index.php?topic=39310.0 ) except the odd email warning Jay describes...

To bring it down to two questions:

- Do I have to edit /etc/httpd/conf.d/ssl.conf and comment out the ChainFile path OR
- Do I just need to tell the db the correct settings through

Code: [Select]

config setprop modSSL CertificateChainFile /usr/share/ssl/certs/gd_intermediate_bundle.crt OR
- Do I have to do BOTH?

And: could it be, that some Emailclients are missinterpreting the Certificate Chain, if one (or two or all three) of the settings pointed out above is not set (properly)?

Or (what would relax me a bit) is it a client specific thing? Though the most of the clients warn me: Thunderbird, Outlook, OE (on WIN2K but not on XP), Sylpheed, Evolution. So I assume it's not a client specific thing.

btw: I searched a lot and I picked up this old thread because it outlines excactly which problem I have, but i doesn't solve it - yet!

Thanks for listening...

[perelandra]

And: could it be, that some Emailclients are missinterpreting the Certificate Chain, if one (or two or all three) of the settings pointed out above is not set (properly)?

Or (what would relax me a bit) is it a client specific thing? Though the most of the clients warn me: Thunderbird, Outlook, OE (on WIN2K but not on XP), Sylpheed, Evolution. So I assume it's not a client specific thing.

I now found out that it's indeed a client specific problem: Thunderbird doesn't use the (inbuilt) Valicert Root Certificate to check Godaddys certificates, but needs an additional Class2 Cert from Godaddy to be imported. This concerns all platforms I tested.

Download: https://certificates.godaddy.com/repository/gd-class2-root.cer

Outlook and OE (and Windows Live Mail) do support the Godaddy Certs ou of the box on XP. In WIN2K the Root Certificates need to be up to date to work fine with the two clients.

Finally:
What really is annoying is, that the upcoming Firefox 3.0 creates an error which really confuses most users, if a self-signed certificate is loaded, or if it is not found in the inbuilt Root Certificates. You may want to test it on your own machines to see the results: to load the page finally it needs at least 4 (four!) clicks to accept the cert. Bad news! 

What do you think?

[perelandra]

Here is on of the Mozilla Bugs if one wants to know more about the named problem:

https://bugzilla.mozilla.org/show_bug.cgi?id=403437

[cyboreal]

Hi,

perelandra wrote:

Thunderbird doesn't use the (inbuilt) Valicert Root Certificate to check Godaddys certificates, but needs an additional Class2 Cert from Godaddy to be imported. This concerns all platforms I tested.

Download: https://certificates.godaddy.com/repository/gd-class2-root.cer

I have a similar setup, it sounds, except that I have only a single SSL domain (not multi-domain or wildcard) registered with GoDaddy (i.e. mail.example.com) for use with my e-mail server. I followed the steps mentioned in various posts in the forum (including http://forums.contribs.org/index.php?topic=39310.0 and the CA Certs how to on the wiki). Here are the steps I followed (assuming all the files are located in /home/e-smith/MySSL):

Code: [Select]

/sbin/e-smith/config setprop modSSL crt /home/e-smith/MySSL/ssl.crt/{domain}.crt
/sbin/e-smith/config setprop modSSL key /home/e-smith/MySSL/{domain}.key
/sbin/e-smith/config setprop modSSL CertificateChainFile /home/e-smith/MySSL/gd_intermediate_bundle.crt
/sbin/e-smith/signal-event console-save
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

After reboot, I can access webmail (https://mail.domain.com/webmail) without any browser warnings from Firefox but Thunderbird complains that the GoDaddy certificate for mail.domain.com is invalid: "Could not verify this certificate for unknown reasons"

I tried to import the certificate (https://certificates.godaddy.com/repository/gd-class2-root.cer) as suggested above but got "This certificate is already installed as a certificate authority" from Thunderbird. I tried importing all the certificates in the certs.godaddy.com page for valicert and starfield but got the same result for each one. I am using Thunderbird 2.0.0.12 and really need to make this work, if possible, without manually installing new certificates on all the clients - though in a worst case scenario, that would be better than nothing.

One thing I should note is that examining the certificate presented to (and validated by) Firefox shows the Certificate Hierarcy as being:
+Builtin object Token:Go Daddy Class 2 CA
  + Go Daddy Secure Certification Authority
    + mail.domain.com

But there is no Certificate Hierarchy in the certificate presented to Thunderbird (though the certificates are the same):
+ mail.domain.com

So the problem seems to be in the intermediate bundle step. What do I need to do to make Thunderbird accept the certificate without complaining? Am I missing a configuration step on the server side?

Thanks.

[cyboreal]

I was able to get Thunderbird working with the GoDaddy certificates and intermediate bundle by creating a .pem file and using it instead of the .crt. I read the directions at http://bloggit.livejournal.com/26595.html and did the following:

1. Create a copy of the mail.domain.com.key file called mail.domain.com.pem
2. After the key text, paste a copy of the certificate (mail.domain.com.crt)
3. After the mail.domain.com.crt certificate, paste the contents of gd_intermediate_bundle.crt
4. Tell SME Server to use the mail.domain.com.pem file as the certificate, so the whole thing looks like:

Code: [Select]

/sbin/e-smith/config setprop modSSL crt /home/e-smith/MySSL/mail.domain.com.pem
/sbin/e-smith/config setprop modSSL key /home/e-smith/MySSL/{domain}.key
/sbin/e-smith/config setprop modSSL CertificateChainFile /home/e-smith/MySSL/gd_intermediate_bundle.crt
/sbin/e-smith/signal-event console-save
/sbin/e-smith/signal-event post-upgrade
/sbin/e-smith/signal-event reboot

Note: I did not bother resetting the key file in the second line as it had been set from my previous attempt - but that should not affect anything.

After rebooting, Thunderbird can access my IMAPS and SMTP servers without complaining about the certificate.