Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: Ted on February 02, 2009, 07:46:49 AM
-
As of 1:36 this afternoon (2Feb 2009) my wife's and my email clients have decided that we no longer have a valid certificate from my home SME 7.4 server. The error message is as follows
::::::::Start
"server.name.org" is a site that uses security certificate to encrypt data during transmission, but its certificate expired on 2/1/2009 1:36 PM.
You should check to make sure that your computer's time (currently set (correct time and date) ) is correct.
Would you like to continue anyway.
Options given are
View certificate Continue Cancel
::::::::::::::End
No matter what you do this dialog will come back next time Thunderbird checks email (POP for my wife IMAP for me) both using SSL.
What do I need to do to either bypass this request for good or generate a new longer lived certificate?
Thanks
Ted
-
Ted
sme server renews the self signed certificate each year, on the anniversary date of original installation. So my guess is you first installed sme a year ago.
You need to reinstall the "newly issued" certificate into your web browser, in the same way as you would have originally done.
There are custom template changes that can make the self signed certificate valid for a longer period of time (ie longer than the default one year).
See
/etc/e-smith/templates/home/e-smith/ssl.crt
Copy that fragment to
/etc/e-smith/templates-custom/home/e-smith/ssl.crt
then do
pico -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt
and change the value for KEYLIFEINDAYS
on the first line to say 1826 for 5 years.
ctrl o
ctrl x
(to save & exit)
Then you need to wait for sme to create a new certificate or force the creation of a new certificate immediately.
To delete the existing self signed certificate and force sme to generate a new certificate do
rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.key/servername.domain.com.key
rm /home/e-smith/ssl.pem/servername.domain.com.pem
(replace filename with your correct server file/key names)
signal-event post-upgrade
signal-event reboot
Then add the new 5 year certificate to your browser, and no more questions from your browser until five years time.
-
Ted
Also see
http://wiki.contribs.org/Certificate_Concepts
-
You need to reinstall the "newly issued" certificate into your web browser, in the same way as you would have originally done.
No, I don't think that is the issue here. I think the issue being seen here is http://bugs.contribs.org/show_bug.cgi?id=2257 - there is a new certificate, but the server application is still using the old, expired certificate. Restarting the imaps service (e.g. by rebooting the server) will make that warning go away.
-
Thanks to you all. In this case a reboot took care of the problem. I'm use to telling people to reboot their Windows PCs before trying to diag a problem. It just did not occur to me to do the same with my SME server.
Ted
-
I'm use to telling people to reboot their Windows PCs before trying to diag a problem. It just did not occur to me to do the same with my SME server.
Ted, this is a special case, SME does not require rebooting as a rule. But all rules have their exception.. This one will be fixed when Bug 2257 is resolved.