Evolution client imports the wrong ssl certificate

Posted on 2009-05-05
Last Modified: 2013-11-22
I am trying to download email via courier imap to a client pop3 account with a valid self-signed ssl certificate.  I have followed instructions at for the browser certificate and for the mail certificate.

The EvolutionSMTP.p12 file that I import into my client email account shows all the wrong information!  When I try to download email, the certificate warning tells me the signature is bad - it's an automatically generated issue from NY that expires in 2019.  The certificate I generated expires in 2014 and it's from my state (not NY;  I should probably reduce it from 1825 days to expire in 365 but it's not working anyway).

I copied EvolutionSMTP.p12 from /etc/postfix/ssl where I  generated it to my home folder on the server, scp'd the file to my laptop and then imported it into my email client, after clearing the client-generated db files in .evolution.  However the certificate that appears in my Evolution client doesn't correspond to the certificate I created (wrong issuer and expiration date).  I've tried following the steps in the above urls several times, the latest with a new password that is accepted, but still the email certificate that is displayed is auto-generated.  What to do?
Question by:sara_bellum
  • 6
  • 2
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24320663

It is obvious that your system does not look to find the certificate in the folder you've placed it. So please check your pop server config files and find out where does it keep its certificate files. Then copy the certificate to the right folder with the correct name. Restart your pop server and retry. You'll understand that you've one it correctly when you see the cerficate information from your server matches your sel signed certificate. Settin Certificate life has nothing to do with it. So you don't need to try to keep it shorter.

Author Comment

ID: 24352139
Here's what I found in the ubuntu forum:

"Open your web hosting site using https in firefox (I used my https webmail).  //I don't have https
Double-click on the padlock icon in the status bar at the bottom of the window // or a padlock
Click on the security tab, Click view certificate, Click details, Click export.
Save as an X.509 Certificate (first option).
Open Evolution, Edit>Preferences>Certficates, Click Import
Browse to the certificate you just saved, click Open, You're done!"

I have no padlock on my home page, so I'm still stuck...I checked my Wordpress config (wordpress is installed in my doc root) and there's nothing there on ssl that I can associate with this problem :(
I think I need to set up an https site in apache, which I don't need right now but I guess I can set up a bogus one...

Author Comment

ID: 24409740
Sorry that I've been unavailable to work on this enough to report back, but it's an amazingly complex issue!  I've implemented everything from here: and was able to import a certificate, but the one that Evolution looks for is automatically generated.

So I found this: and was able to localize the default settings on the server for automatically generated certificates; I then restarted pop and pop-ssl services.  My Evolution client now reads the correct location and expiration date, so the automatically generated certificate doesn't look as bad as the I'm-in-NY-and-expire-in-10-years certs that I saw before.  However the Evolution client still tells me that the automatically generated cert is bad, and I can't import a certificate to the client to authenticate something that's automatically generated.  There's no setting on the client that allows me to change how it authenticates either :(  
LVL 30

Accepted Solution

Kerem ERSOY earned 500 total points
ID: 24409793
Hi in fact since you're generatiing your own servers they are ot valid certificates that could be traced back to known signers and validation be checked by third parties. So if you don't use a certificate from a well-known issuer this is the normal behaviour. however if you don't want it to cause errors on client side what you would do id to get the certificate and include it to your certficates chain so that iit wont cause any errors to the client.

what OS do your clients use ?
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 24415403
The OS on the clients is also Ubuntu (Debian) Linux.

Since I can import a cert into the Evolution client that is associated with a stable server key (but not one that is automatically generated) I changed the pop3d.cnf file in /etc/courier to disable the auto-generate-ssl-key and copied all files to /home/user/myCA.  I now have an updated mail certificate in Evolution that has the right location and expiration date which is presumably associated with the correct key, but I can't fetch mail :(

The error in the client says just that: error fetching mail.  I got no errors on the server when restarting pop and pop-ssl.

I'm still working with this page: 
It sure would help to find some errors.

Author Comment

ID: 24425771
Here's where I am now - either the procedures at the latest url are wrong or there's something in my server config that prevents their correct implementation.

# openssl s_server -key server_key.pem -cert mycert.pem -CAfile server_crt.pem -state -Verify 10
verify depth is 10, must return a certificate
Enter pass phrase for server_key.pem:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
22900:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:399:

Author Comment

ID: 24429316
I gave up and installed Dovecot, and am able to download mail with a bad (default) certificate. Until I can create certs that pass the openssl s_client test, the only authentication method is password, and even so, I have inconsistent results with that:
-Ever since I cleared the password from my client while troubleshooting courier pop3 connections, if I'm prompted for a password, the user password I type in is not accepted.
-If I'm not prompted for a password the mail gets downloaded, but how long that will work remains a mystery, since I can't store a password that isn't accepted.  The email user account name in the client matches the Linux account name on the server, so how password authentication over a LAN connection also fails is as mysterious as the SSL certificate signature failure.

I thought that the simplest thing would be to edit the default SSL Certificate check options that postfix displays (OU = Office for Complication of Otherwise Simple Affairs etc) but I can't find the file where these settings are stored - it doesn't appear to be anywhere in /etc and it doesn't make sense for it to be anywhere else.  Is it perhaps in binary form?  Let me know thanks.

Author Closing Comment

ID: 31578342
Again, a "started to help" question that was left unanswered.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Fine Tune your automatic Updates for Ubuntu / Debian
The purpose of this video is to demonstrate how to set up an account with Mailchimp. This will be demonstrated using a Windows 8 PC. Tools Used are: Go to : Enter an Email, Username, and Password. Click Create My Acco…
The purpose of this video is to demonstrate how to set up a Mailchimp Template which will let the user create a uniform look for all of their campaigns. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mail…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now