Topic: Self signed cert nightmare

[Drifting]

Hi People.

I have been using a Outlook and  backend IMAP sme server for years, and have used a self signed cert. Something has changed on the last update to either the server or the Win7 workstations.

Problem.
Usual message about certificate, so open IE with admin rights, go to mail server website, install cert into Trusted Root, then modify the host file to fake the name:- 10.0.0.1 mail.server.local mail.server.com
This would normally allow Outlook to work fine, without moaning about the certificate.

Cert Expired.
I am sure I am missing something basic here, as I go through the same procedure as above, however there is now a slightly longer message saying  "See attached image" And when I view the certificate it shows the expired one? Baffled?

Ran certmgr.msc and removed all versions of the certificate for the server, installed them as above again. Same end result as the attached image!

I am rather at a loss, suppose I could consider buying a cert, but always being short of money it would be a last resort.

Regards P

[byte]

Are you using cacert.org?

If you click on view certificate what does that tell you?

What does show?:

Code: [Select]

config show modSSL

[Drifting]

Are you using cacert.org?

If you click on view certificate what does that tell you?

What does show?:

Code: [Select]

config show modSSL

Hi thanks for the reply, and no I was not using cacert.org

And yes, I view the certificate in IE on the workstation, and it clearly states the SME server, and the expiry date of Nov 2016. However, when I open outlook, and it complains about the certificate, and you view it from there, that one has expired? I am really confused and according to the cert manager there is not certificate that has expired? as I said, even the Server manager page displays without cert error. It is as if Outlook has somehow cached the expired certificate?

Regards P

[mmccarn]

I had a similar problem in October with Thunderbird -- an update to Thunderbird had changed the SSL/TLS protocols supported.

I fixed it by modifying 'modSSL CipherSuite', although I think I could also have modified 'qpsmtpd tlsCipher' to avoid resetting my web server cipher settings at the same time.  I don't know if Outlook has a way for you to identify where the connection is failing.

Here's a lengthy discussion about problems with iOS 9 and SSL ciphers that might have useful info:
http://forums.contribs.org/index.php/topic,51944.30.html

[Drifting]

Thanks for the reply.

I will have a read up. I am just beginning to wonder if I have found a bug? Reason I say this is that I have two SME servers both on version 8.1 doing the same thing with Outlook clients. Sadly my knowledge is not that good on SME and certificates, but I am about to have a read up on the docs. If there is someone in the know, could it be that the mail server has the wrong certificate? and when it renewed it somehow did not replace the expired one? As I say, that was not through knowledge, and any input from anyone would be greatly appreciated.

Regards P

[CharlieBrady]

Cert Expired.
I am sure I am missing something basic here, as I go through the same procedure as above, however there is now a slightly longer message saying  "See attached image" And when I view the certificate it shows the expired one?

So this shows that your service (probably IMAP or IMAPs) is using the expired certificate.

I am just beginning to wonder if I have found a bug?

If you wonder that, then you should report the issue via the bug tracker. That way the issue can be investigated and diagnosed.

[Drifting]

So this shows that your service (probably IMAP or IMAPs) is using the expired certificate.

So I would assume? But the cert was updated, and the SME webserver has the correct certificate, and once accepted, all is happy.

If you wonder that, then you should report the issue via the bug tracker. That way the issue can be investigated and diagnosed.

Wondering, and being accurate and sure before I put in an error report to far more clever people than I. I might if I can get nowhere.

Actually going to follow the instructions on the Wiki about generating a longer lasting Certificate, I assume by following the deletions and re creation of the certificates that if something did go amiss, it would correct it? Will report back on that one.

P

[CharlieBrady]

Wondering, and being accurate and sure before I put in an error report to far more clever people than I.

We don't want you to be sure; we want you to report all possible bugs to the bug tracker. That way we can get you to help us to investigate the issue, and we can fix it if it turns out to be a software problem.

[Knuddi]

I would go for a "proper" certificate as it makes things easier and causes less friction with the users.

See: http://forums.contribs.org/index.php/topic,52028.0.html

At StartSSL you can get one for free for a single hostname (mail.domain.com) and it works as a charm.

[DanB35]

...or now that letsencrypt.org is live, you can get a free, trusted cert for any number of domains/hostnames, generated, installed, and renewed (nearly) automatically.  See http://wiki.contribs.org/Letsencrypt.