Solved

Evolution client imports the wrong ssl certificate

Posted on 2009-05-05
10
2,307 Views
Last Modified: 2013-11-22
I am trying to download email via courier imap to a client pop3 account with a valid self-signed ssl certificate.  I have followed instructions at https://help.ubuntu.com/community/OpenSSL for the browser certificate and http://jonsview.com/2008/07/14/setting-up-email-services-on-ubuntu-hardy-using-postfix-and-courier for the mail certificate.

The EvolutionSMTP.p12 file that I import into my client email account shows all the wrong information!  When I try to download email, the certificate warning tells me the signature is bad - it's an automatically generated issue from NY that expires in 2019.  The certificate I generated expires in 2014 and it's from my state (not NY;  I should probably reduce it from 1825 days to expire in 365 but it's not working anyway).

I copied EvolutionSMTP.p12 from /etc/postfix/ssl where I  generated it to my home folder on the server, scp'd the file to my laptop and then imported it into my email client, after clearing the client-generated db files in .evolution.  However the certificate that appears in my Evolution client doesn't correspond to the certificate I created (wrong issuer and expiration date).  I've tried following the steps in the above urls several times, the latest with a new password that is accepted, but still the email certificate that is displayed is auto-generated.  What to do?
0
Comment
Question by:sara_bellum
  • 6
  • 2
10 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24320663
Hi,

It is obvious that your system does not look to find the certificate in the folder you've placed it. So please check your pop server config files and find out where does it keep its certificate files. Then copy the certificate to the right folder with the correct name. Restart your pop server and retry. You'll understand that you've one it correctly when you see the cerficate information from your server matches your sel signed certificate. Settin Certificate life has nothing to do with it. So you don't need to try to keep it shorter.
 
Cheers,
K.
0
 

Author Comment

by:sara_bellum
ID: 24352139
Here's what I found in the ubuntu forum:

"Open your web hosting site using https in firefox (I used my https webmail).  //I don't have https
Double-click on the padlock icon in the status bar at the bottom of the window // or a padlock
Click on the security tab, Click view certificate, Click details, Click export.
Save as an X.509 Certificate (first option).
Open Evolution, Edit>Preferences>Certficates, Click Import
Browse to the certificate you just saved, click Open, You're done!"

I have no padlock on my home page, so I'm still stuck...I checked my Wordpress config (wordpress is installed in my doc root) and there's nothing there on ssl that I can associate with this problem :(
I think I need to set up an https site in apache, which I don't need right now but I guess I can set up a bogus one...
0
 

Author Comment

by:sara_bellum
ID: 24409740
Sorry that I've been unavailable to work on this enough to report back, but it's an amazingly complex issue!  I've implemented everything from here: https://help.ubuntu.com/community/OpenSSL and was able to import a certificate, but the one that Evolution looks for is automatically generated.

So I found this: http://www.linux-noob.com/forums/index.php?showtopic=2223 and was able to localize the default settings on the server for automatically generated certificates; I then restarted pop and pop-ssl services.  My Evolution client now reads the correct location and expiration date, so the automatically generated certificate doesn't look as bad as the I'm-in-NY-and-expire-in-10-years certs that I saw before.  However the Evolution client still tells me that the automatically generated cert is bad, and I can't import a certificate to the client to authenticate something that's automatically generated.  There's no setting on the client that allows me to change how it authenticates either :(  
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24409793
Hi in fact since you're generatiing your own servers they are ot valid certificates that could be traced back to known signers and validation be checked by third parties. So if you don't use a certificate from a well-known issuer this is the normal behaviour. however if you don't want it to cause errors on client side what you would do id to get the certificate and include it to your certficates chain so that iit wont cause any errors to the client.

what OS do your clients use ?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:sara_bellum
ID: 24415403
The OS on the clients is also Ubuntu (Debian) Linux.

Since I can import a cert into the Evolution client that is associated with a stable server key (but not one that is automatically generated) I changed the pop3d.cnf file in /etc/courier to disable the auto-generate-ssl-key and copied all files to /home/user/myCA.  I now have an updated mail certificate in Evolution that has the right location and expiration date which is presumably associated with the correct key, but I can't fetch mail :(

The error in the client says just that: error fetching mail.  I got no errors on the server when restarting pop and pop-ssl.

I'm still working with this page: https://help.ubuntu.com/community/OpenSSL
It sure would help to find some errors.
0
 

Author Comment

by:sara_bellum
ID: 24425771
Here's where I am now - either the procedures at the latest url are wrong or there's something in my server config that prevents their correct implementation.

# openssl s_server -key server_key.pem -cert mycert.pem -CAfile server_crt.pem -state -Verify 10
verify depth is 10, must return a certificate
Enter pass phrase for server_key.pem:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
22900:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:399:
0
 

Author Comment

by:sara_bellum
ID: 24429316
I gave up and installed Dovecot, and am able to download mail with a bad (default) certificate. Until I can create certs that pass the openssl s_client test, the only authentication method is password, and even so, I have inconsistent results with that:
-Ever since I cleared the password from my client while troubleshooting courier pop3 connections, if I'm prompted for a password, the user password I type in is not accepted.
-If I'm not prompted for a password the mail gets downloaded, but how long that will work remains a mystery, since I can't store a password that isn't accepted.  The email user account name in the client matches the Linux account name on the server, so how password authentication over a LAN connection also fails is as mysterious as the SSL certificate signature failure.

I thought that the simplest thing would be to edit the default SSL Certificate check options that postfix displays (OU = Office for Complication of Otherwise Simple Affairs etc) but I can't find the file where these settings are stored - it doesn't appear to be anywhere in /etc and it doesn't make sense for it to be anywhere else.  Is it perhaps in binary form?  Let me know thanks.
0
 

Author Closing Comment

by:sara_bellum
ID: 31578342
Again, a "started to help" question that was left unanswered.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
The purpose of this video is to demonstrate how to set up a Mailchimp campaign. This will include styling and adding elements to a newsletter/email. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchim…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now