Koozali.org: home of the SME Server

problem with SSL certificate and sending email

Offline wdepot

  • ***
  • 89
  • +0/-0
    • http://westerndepot.com
problem with SSL certificate and sending email
« on: September 19, 2013, 08:52:24 PM »
We're getting an expired SSL certificate error using Mail under Mac OSX and are wondering if anyone can help figure out the problem. We get the following error from Mail:
Quote
Mail was unable to verify the identity of this server, which has a certificate issued to "www.westerndepot.com". The error was:

The root certificate for this server could not be verified.

You might be connecting to a computer that is pretending to be "www.westerndepot.com", and putting your confidential information at risk. Would you like to continue anyway?
When we view the certificate it shows that it expired on September 7, 2013.

The thing is, we use a certificate issued by Comodo, it doesn't expire until 2018, and it is working fine using any web browser. We use a custom template file for httpd.conf to set the proper settings to use the certificate and the included certificate authority file. The relevant code in the final httpd.conf file is as follows:
Code: [Select]
# modSSL{CertificateChainFile} not set
SSLCertificateFile /home/e-smith/ssl.crt/wdserver.crt
SSLCertificateKeyFile /home/e-smith/ssl.key/wdserver.key

SSLCACertificatePath /home/e-smith/ssl.crt/
SSLCACertificateFile /home/e-smith/ssl.crt/www_westerndepot_com.ca-bundle
SSLCertificateChainFile /home/e-smith/ssl.crt/www_westerndepot_com.ca-bundle

Mail is properly set up to use authentication and SSL on port 25 from the fully qualified domain name as required by SME 8.0 and didn't have any problems sending email until the certificate expired. Obviously I need to get email on our SME Server 8.0 to look at the correct certificate files since it is apparently set to use the automatically generated certificate from SME Server rather than the certificate we purchased. The question is where do I create the custom template file to do this, what should I name it and what commands need to be placed in the custom template file? I'm guessing that Mail is talking to qpsmtpd and not qmail when it sends messages but that is about as far as I can get. I'm hoping that someone here on the forums can help us fix the problem.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: problem with SSL certificate and sending email
« Reply #1 on: September 20, 2013, 12:38:48 AM »
wdepot

Show us

config show modSSL

Your custom template filename, path & contents.
« Last Edit: September 20, 2013, 01:32:01 AM by janet »
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: problem with SSL certificate and sending email
« Reply #2 on: September 20, 2013, 01:28:13 AM »
wdepot

Quote
Mail is properly set up to use authentication and SSL on port 25 from the fully qualified domain name as required by SME 8.0 and didn't have any problems sending email until the certificate expired.

If I access your site in Windows 7 using Firefox & via the URL
https://www.westerndepot.com
I get details of a Comodo certificate that was issued on 15/6/2013  & expires on 15/6/2018
I see no problems there.

I recall some time ago that old browsers had to be updated so that details of current root certificates were up to date, maybe your Mac has an issue like that, or is somehow not updating or recognising the current certificate.

It does not seem to be a server issue, unless it is something peculiar to Mac.
I would be googling on updating your certificate in your mail client on a Mac OSX
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: problem with SSL certificate and sending email
« Reply #3 on: September 20, 2013, 02:23:14 PM »
httpd-e-smith uses the certs located in /home/e-smith/ssl.crt/.

On my SME8 server, qpsmtpd's TLS plugin is using /var/service/qpsmtpd/ssl/cert.pem

Have you installed your new cert for qpsmtpd?

Offline wdepot

  • ***
  • 89
  • +0/-0
    • http://westerndepot.com
Re: problem with SSL certificate and sending email
« Reply #4 on: September 20, 2013, 11:14:29 PM »
The custom templates for the security certificates are both located in the /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ folder.

File named 35SSL10SSLCertificateFile contains:
Code: [Select]
{
    my $crt = $modSSL{'crt'} ||
"/home/e-smith/ssl.crt/wdserver.crt";

    my $key = $modSSL{'key'} ||
"/home/e-smith/ssl.key/wdserver.key";

    $OUT .= <<SSL_END;
SSLCertificateFile $crt
SSLCertificateKeyFile $key
SSL_END

}

File named 35SSL10SSLD contains:
Code: [Select]
# place this file in /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

SSLCACertificatePath /home/e-smith/ssl.crt/
SSLCACertificateFile /home/e-smith/ssl.crt/www_westerndepot_com.ca-bundle
SSLCertificateChainFile /home/e-smith/ssl.crt/www_westerndepot_com.ca-bundle

config show modSSL returns the following:
Code: [Select]
modSSL=service
  CipherSuite=HIGH:!SSLv2
  TCPPort=443
  access=public
  status=enabled

Like I said it works fine with any web browser but not with our email client. I deleted the old certificate from Keychain Access on the Mac in an attempt to force the email program to look for the new certificate on the server but the email client still finds an expired certificate.

I think like mmccarn mentions that the certificate needs to be installed for qpsmtpd. The question is how do I do that?

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: problem with SSL certificate and sending email
« Reply #5 on: September 21, 2013, 04:23:18 PM »
/var/service/qpsmtpd/ssl/cert.pem is built from /etc/e-smith/templates.metadata/var/service/qpsmtpd/ssl/cert.pem based on /home/e-smith/ssl.pem.

The metadata file also forces the output file to belong to the Group 'qpsmtpd' and have permissions set to 0640

If your custom httpd template has updated /home/e-smith/ssl.pem then you should be able to fix qpsmtpd using either:
signal-event email-update
 -or-
expand-template /var/service/qpsmtpd/ssl/cert.pem
sv t qpsmtpd


If your /home/e-smith/ssl.pem files have not been updated, you'll need to figure out how to do that first.


[edit]
fixed typo in path to metadata template, and added info about file ownership and permissions.
« Last Edit: September 21, 2013, 04:33:21 PM by mmccarn »

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: problem with SSL certificate and sending email
« Reply #6 on: September 21, 2013, 04:30:00 PM »
I forgot to mention that since your Comodo certificate is chained, you're likely to need this information on how to build the 'ssl.pem' file for qpsmtpd when using chained certs:
http://grokbase.com/t/perl/qpsmtpd/091pv8ee8d/tls-plugin-problem-with-chained-certificate#20090124pau52cdl4uifzwnin7q3ulni3m