Topic: Security Certificates problems

[D Burke]

I'm using the E-smith server/gateway v4.1.1. I'm using the IMP webmail package installed with the server. Everything is going great except for one thing:
When I try to access the IMP program over the web OR on my intranet I get the same error message every time. Using either Netscape or IE.

Security Alert - The name on the security certificate does not match the name on the site.
I look at the certificate and it says the name of my site. mydomain.xxx
I install it in the "Trusted Root Certification Store" complete the installation and proceed to the login screen. It always says Certificate Import successful.

E-mail and everything works great but this error message each time I access my mail is a pain.

Thanks in advance!

[Alejandro]

What kind of connection is your server's.....With a dynamic ip your "ip name" is always changing.

This is just an idea of what could be happening
someone else may think different  :} ?
Alejandro

[Dan Brown]

Well, there are two likely problems here.  First, I think the default certificate is created for a different hostname.  For example, if you're www.mydomain.com, the certificate is created for secure.mydomain.com (or www.secure.mydomain.com; I can't remember which).  I know this is what was done in earlier releases of the SSL add-on; I'm not 100% positive if they've retained this behavior in 4.1.1, but I think they have.  There's probably a reason for it, but it's almost guaranteed to cause security warnings.

The second problem is that your browser may not recognize the Certificate Authority (CA) that signed your certificate.  Because your certificate is signed by your own server, the browser won't recognize it.  The only way around this on any kind of permanent basis is to import your CA certificate (which is why I have a link to it on my server's home page).

[Des Dougan]

Dan,

The message which pops up allows the certificate to be imported, but I suspect that your point about the domain is correct: "The name on the security certificate does not match the name on the site"

How did you import the certificate?

Thanks,

Des Dougan

[Dan Brown]

To import the certificate, I pointed the browser toward the CA cert, not the server cert.  That involved making a copy of it under the web root.  I don't know where the CA cert is under e-smith 4.1.1--I'm using a certificate I made a while ago.

What you really need to do is make (or buy) a new server certificate that points to the correct name of your server.  There are lots of ways of making SSL certificates; I use the ssl.ca toolkit available from http://www.md.com.my/pub/linux/MD/.  You'll need to know where the CA cert is, or make a new one (probably the latter is a better idea), and you should save the new server cert and key to /home/e-smith/ssl.crt and /home/e-smith/ssl.key, respectively.

Hope this helps.

[Alejandro]

Dan Brown wrote:
> To import the certificate, I pointed the browser toward the
> CA cert, not the server cert.  That involved making a copy of
> it under the web root.  I don't know where the CA cert is
> under e-smith 4.1.1--I'm using a certificate I made a while
> ago.
> What you really need to do is make (or buy) a new server
> certificate that points to the correct name of your server.
> There are lots of ways of making SSL certificates; I use the
> ssl.ca toolkit available from
> http://www.md.com.my/pub/linux/MD/.  You'll need to know
> where the CA cert is, or make a new one (probably the latter
> is a better idea), and you should save the new server cert
> and key to /home/e-smith/ssl.crt and /home/e-smith/ssl.key,
> respectively.
> Hope this helps.

Dan:
I downloaded files, but I'm not able to run scripts mentiones in readme files
Would you  be patient and explain me how to get it work?
I know It could be stressing but I have spent some time on this with no clues and can't figure out what to do.
I receive this message when I try tu run them (unexpected end of file at line 57 or 52 depending on wich script is run)
I have try this way
"bash ./new-root-ca-cert.sh" inside a newly created folder in a dwnld ibay I have in my server, It would not surprisse me I'm doing stupid things (as every newbbie does)
Many thanks in advance
Alejandro

[Dan Brown]

Not sure why you're getting these errors, but FWIW, I put the ssl-ca files in a folder under /root, and ran them as root.  I haven't tried them extensively under SME 5, so it's possible that there's something in the upgrade that breaks them, but I wouldn't think so.

[Alejandro]

Dan:
First of all, thanks for your quick response!
I'll tell you what I did
the server has no monitor so I'm running commands remotely, I dont know if this has something to do with the problem, so I decided to run manually the proces followed by the scripts files.
After many steps backward and forward I could get "produced" two files called
secure.reboredo.net.key and secure.reboredo.net.crt and replace the ones my box generated when I upgraded to sme v5. (of course I made backup before)
The two new files (crt and key) are "allmost" perfect just one thing , I´receiving the same Securitty advice "The name on the certificate is not valid or does not match with the name on the site"
So too much work and I'm in the same place!!!
but I know my problem is my name!  who am I ? (Just a Hamlett kind problem )

What should be my server name to match my certificate or viceversa?
my site name is www.reboredo.net but I dont know  why the name who issues the certificate is just "reboredo.net" so if I declare my name as just "reboredo.net" when I'm configuring the files needed by scripts   could it solve something?

I know there is a way to find an answer to it (just do all over again) but if it is useless whould be a real waste of time!

Thanks in advance, for your thoughts about this !

Alejandro

[Dan Brown]

If your site name is www.reboredo.net, and your certificate is made for secure.reboredo.net, they won't match.  If your site is going by www.reboredo.net, the certificate should be made for that name as well.

[Alejandro]

I told you I was a newbie.....

[darren]

having trouble installing certificates
once you have created the file www.mydomain.com.crt and www.mydomain.com.key
and copied them into the /home/e-smith/ssl.key and ssl.crt
do you have to restart anything or install the www.mydomain.com.csr anywhere
i followed the instructions from the  ssl.ca-0.1.tar.gz but i still get my old certificate with the mydomain.com

thanks for any help