• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2373
  • Last Modified:

Evolution client imports the wrong ssl certificate

I am trying to download email via courier imap to a client pop3 account with a valid self-signed ssl certificate.  I have followed instructions at https://help.ubuntu.com/community/OpenSSL for the browser certificate and http://jonsview.com/2008/07/14/setting-up-email-services-on-ubuntu-hardy-using-postfix-and-courier for the mail certificate.

The EvolutionSMTP.p12 file that I import into my client email account shows all the wrong information!  When I try to download email, the certificate warning tells me the signature is bad - it's an automatically generated issue from NY that expires in 2019.  The certificate I generated expires in 2014 and it's from my state (not NY;  I should probably reduce it from 1825 days to expire in 365 but it's not working anyway).

I copied EvolutionSMTP.p12 from /etc/postfix/ssl where I  generated it to my home folder on the server, scp'd the file to my laptop and then imported it into my email client, after clearing the client-generated db files in .evolution.  However the certificate that appears in my Evolution client doesn't correspond to the certificate I created (wrong issuer and expiration date).  I've tried following the steps in the above urls several times, the latest with a new password that is accepted, but still the email certificate that is displayed is auto-generated.  What to do?
  • 6
  • 2
1 Solution
Kerem ERSOYPresidentCommented:

It is obvious that your system does not look to find the certificate in the folder you've placed it. So please check your pop server config files and find out where does it keep its certificate files. Then copy the certificate to the right folder with the correct name. Restart your pop server and retry. You'll understand that you've one it correctly when you see the cerficate information from your server matches your sel signed certificate. Settin Certificate life has nothing to do with it. So you don't need to try to keep it shorter.
sara_bellumAuthor Commented:
Here's what I found in the ubuntu forum:

"Open your web hosting site using https in firefox (I used my https webmail).  //I don't have https
Double-click on the padlock icon in the status bar at the bottom of the window // or a padlock
Click on the security tab, Click view certificate, Click details, Click export.
Save as an X.509 Certificate (first option).
Open Evolution, Edit>Preferences>Certficates, Click Import
Browse to the certificate you just saved, click Open, You're done!"

I have no padlock on my home page, so I'm still stuck...I checked my Wordpress config (wordpress is installed in my doc root) and there's nothing there on ssl that I can associate with this problem :(
I think I need to set up an https site in apache, which I don't need right now but I guess I can set up a bogus one...
sara_bellumAuthor Commented:
Sorry that I've been unavailable to work on this enough to report back, but it's an amazingly complex issue!  I've implemented everything from here: https://help.ubuntu.com/community/OpenSSL and was able to import a certificate, but the one that Evolution looks for is automatically generated.

So I found this: http://www.linux-noob.com/forums/index.php?showtopic=2223 and was able to localize the default settings on the server for automatically generated certificates; I then restarted pop and pop-ssl services.  My Evolution client now reads the correct location and expiration date, so the automatically generated certificate doesn't look as bad as the I'm-in-NY-and-expire-in-10-years certs that I saw before.  However the Evolution client still tells me that the automatically generated cert is bad, and I can't import a certificate to the client to authenticate something that's automatically generated.  There's no setting on the client that allows me to change how it authenticates either :(  
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Kerem ERSOYPresidentCommented:
Hi in fact since you're generatiing your own servers they are ot valid certificates that could be traced back to known signers and validation be checked by third parties. So if you don't use a certificate from a well-known issuer this is the normal behaviour. however if you don't want it to cause errors on client side what you would do id to get the certificate and include it to your certficates chain so that iit wont cause any errors to the client.

what OS do your clients use ?
sara_bellumAuthor Commented:
The OS on the clients is also Ubuntu (Debian) Linux.

Since I can import a cert into the Evolution client that is associated with a stable server key (but not one that is automatically generated) I changed the pop3d.cnf file in /etc/courier to disable the auto-generate-ssl-key and copied all files to /home/user/myCA.  I now have an updated mail certificate in Evolution that has the right location and expiration date which is presumably associated with the correct key, but I can't fetch mail :(

The error in the client says just that: error fetching mail.  I got no errors on the server when restarting pop and pop-ssl.

I'm still working with this page: https://help.ubuntu.com/community/OpenSSL 
It sure would help to find some errors.
sara_bellumAuthor Commented:
Here's where I am now - either the procedures at the latest url are wrong or there's something in my server config that prevents their correct implementation.

# openssl s_server -key server_key.pem -cert mycert.pem -CAfile server_crt.pem -state -Verify 10
verify depth is 10, must return a certificate
Enter pass phrase for server_key.pem:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
22900:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:399:
sara_bellumAuthor Commented:
I gave up and installed Dovecot, and am able to download mail with a bad (default) certificate. Until I can create certs that pass the openssl s_client test, the only authentication method is password, and even so, I have inconsistent results with that:
-Ever since I cleared the password from my client while troubleshooting courier pop3 connections, if I'm prompted for a password, the user password I type in is not accepted.
-If I'm not prompted for a password the mail gets downloaded, but how long that will work remains a mystery, since I can't store a password that isn't accepted.  The email user account name in the client matches the Linux account name on the server, so how password authentication over a LAN connection also fails is as mysterious as the SSL certificate signature failure.

I thought that the simplest thing would be to edit the default SSL Certificate check options that postfix displays (OU = Office for Complication of Otherwise Simple Affairs etc) but I can't find the file where these settings are stored - it doesn't appear to be anywhere in /etc and it doesn't make sense for it to be anywhere else.  Is it perhaps in binary form?  Let me know thanks.
sara_bellumAuthor Commented:
Again, a "started to help" question that was left unanswered.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now