Solved

Evolution client imports the wrong ssl certificate

Posted on 2009-05-05
10
2,332 Views
Last Modified: 2013-11-22
I am trying to download email via courier imap to a client pop3 account with a valid self-signed ssl certificate.  I have followed instructions at https://help.ubuntu.com/community/OpenSSL for the browser certificate and http://jonsview.com/2008/07/14/setting-up-email-services-on-ubuntu-hardy-using-postfix-and-courier for the mail certificate.

The EvolutionSMTP.p12 file that I import into my client email account shows all the wrong information!  When I try to download email, the certificate warning tells me the signature is bad - it's an automatically generated issue from NY that expires in 2019.  The certificate I generated expires in 2014 and it's from my state (not NY;  I should probably reduce it from 1825 days to expire in 365 but it's not working anyway).

I copied EvolutionSMTP.p12 from /etc/postfix/ssl where I  generated it to my home folder on the server, scp'd the file to my laptop and then imported it into my email client, after clearing the client-generated db files in .evolution.  However the certificate that appears in my Evolution client doesn't correspond to the certificate I created (wrong issuer and expiration date).  I've tried following the steps in the above urls several times, the latest with a new password that is accepted, but still the email certificate that is displayed is auto-generated.  What to do?
0
Comment
Question by:sara_bellum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
10 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24320663
Hi,

It is obvious that your system does not look to find the certificate in the folder you've placed it. So please check your pop server config files and find out where does it keep its certificate files. Then copy the certificate to the right folder with the correct name. Restart your pop server and retry. You'll understand that you've one it correctly when you see the cerficate information from your server matches your sel signed certificate. Settin Certificate life has nothing to do with it. So you don't need to try to keep it shorter.
 
Cheers,
K.
0
 

Author Comment

by:sara_bellum
ID: 24352139
Here's what I found in the ubuntu forum:

"Open your web hosting site using https in firefox (I used my https webmail).  //I don't have https
Double-click on the padlock icon in the status bar at the bottom of the window // or a padlock
Click on the security tab, Click view certificate, Click details, Click export.
Save as an X.509 Certificate (first option).
Open Evolution, Edit>Preferences>Certficates, Click Import
Browse to the certificate you just saved, click Open, You're done!"

I have no padlock on my home page, so I'm still stuck...I checked my Wordpress config (wordpress is installed in my doc root) and there's nothing there on ssl that I can associate with this problem :(
I think I need to set up an https site in apache, which I don't need right now but I guess I can set up a bogus one...
0
 

Author Comment

by:sara_bellum
ID: 24409740
Sorry that I've been unavailable to work on this enough to report back, but it's an amazingly complex issue!  I've implemented everything from here: https://help.ubuntu.com/community/OpenSSL and was able to import a certificate, but the one that Evolution looks for is automatically generated.

So I found this: http://www.linux-noob.com/forums/index.php?showtopic=2223 and was able to localize the default settings on the server for automatically generated certificates; I then restarted pop and pop-ssl services.  My Evolution client now reads the correct location and expiration date, so the automatically generated certificate doesn't look as bad as the I'm-in-NY-and-expire-in-10-years certs that I saw before.  However the Evolution client still tells me that the automatically generated cert is bad, and I can't import a certificate to the client to authenticate something that's automatically generated.  There's no setting on the client that allows me to change how it authenticates either :(  
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24409793
Hi in fact since you're generatiing your own servers they are ot valid certificates that could be traced back to known signers and validation be checked by third parties. So if you don't use a certificate from a well-known issuer this is the normal behaviour. however if you don't want it to cause errors on client side what you would do id to get the certificate and include it to your certficates chain so that iit wont cause any errors to the client.

what OS do your clients use ?
0
 

Author Comment

by:sara_bellum
ID: 24415403
The OS on the clients is also Ubuntu (Debian) Linux.

Since I can import a cert into the Evolution client that is associated with a stable server key (but not one that is automatically generated) I changed the pop3d.cnf file in /etc/courier to disable the auto-generate-ssl-key and copied all files to /home/user/myCA.  I now have an updated mail certificate in Evolution that has the right location and expiration date which is presumably associated with the correct key, but I can't fetch mail :(

The error in the client says just that: error fetching mail.  I got no errors on the server when restarting pop and pop-ssl.

I'm still working with this page: https://help.ubuntu.com/community/OpenSSL 
It sure would help to find some errors.
0
 

Author Comment

by:sara_bellum
ID: 24425771
Here's where I am now - either the procedures at the latest url are wrong or there's something in my server config that prevents their correct implementation.

# openssl s_server -key server_key.pem -cert mycert.pem -CAfile server_crt.pem -state -Verify 10
verify depth is 10, must return a certificate
Enter pass phrase for server_key.pem:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
22900:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:399:
0
 

Author Comment

by:sara_bellum
ID: 24429316
I gave up and installed Dovecot, and am able to download mail with a bad (default) certificate. Until I can create certs that pass the openssl s_client test, the only authentication method is password, and even so, I have inconsistent results with that:
-Ever since I cleared the password from my client while troubleshooting courier pop3 connections, if I'm prompted for a password, the user password I type in is not accepted.
-If I'm not prompted for a password the mail gets downloaded, but how long that will work remains a mystery, since I can't store a password that isn't accepted.  The email user account name in the client matches the Linux account name on the server, so how password authentication over a LAN connection also fails is as mysterious as the SSL certificate signature failure.

I thought that the simplest thing would be to edit the default SSL Certificate check options that postfix displays (OU = Office for Complication of Otherwise Simple Affairs etc) but I can't find the file where these settings are stored - it doesn't appear to be anywhere in /etc and it doesn't make sense for it to be anywhere else.  Is it perhaps in binary form?  Let me know thanks.
0
 

Author Closing Comment

by:sara_bellum
ID: 31578342
Again, a "started to help" question that was left unanswered.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PHP contact form that lets the user to contact the company through email contact form. A button is fixed at the bottom of site, on clicking a new window will open where a user can send the email.
Read this checklist to learn more about the 15 things you should never include in an email signature.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question