Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: kruhm on August 11, 2011, 02:44:34 PM

Title: rapidssl certificate installation
Post by: kruhm on August 11, 2011, 02:44:34 PM: Hi Everyone,

Does anyone have a rapidssl certificate correctly installed?

It works fine for https (443) without issue but it complains for imaps (993). This means when I go the web mail everything's fine but when I access via mail client, it complains of a broken chain.

Can anyone provide any insight?

Thanks in advance,
Title: Re: rapidssl certificate installation
Post by: cactus on August 11, 2011, 06:02:03 PM: Quote from: kruhm on August 11, 2011, 02:44:34 PM
It works fine for https (443) without issue but it complains for imaps (993). This means when I go the web mail everything's fine but when I access via mail client, it complains of a broken chain.

Can anyone provide any insight?
Not when you do not specify what error message. Please keep in mind that we can not see what you see, so you will have to provide us with information like exact error messages and methods you tried. That way instead of guessing we can try and see if you did the right thing and see the clues you are seeing.
Title: Re: rapidssl certificate installation
Post by: kruhm on August 11, 2011, 06:39:38 PM: Hi Catcus,

Thanks for responding. Walked right into that one :-)

The email clients were giving generic responses:
"Certificate is not trusted, because it hasn't been verified by a recognized authority."

This lead to openssl testing & after looking further into it, it seems the https isn't working correctly either (but the browsers aren't complaining).

Here's the test:
Code: [Select]
echo GET | openssl s_client -connect server.tld:443
Here's the response:
Code: [Select]
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0
Here's the chain:
Code: [Select]
--- Certificate chain 0 s:/serialNumber=sFZ9unN4m/CU7LgUygwS8Hftfe1zdHM7/C=US/O=server.tld/OU=GT633231189/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=server.tld i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
It seems like the GeoTrust Global CA isn't issued by one of the Equifax CA's in the openssl CA BUNDLE located at /usr/share/ssl/

Any thoughts would be greatly appreciated.

Thanks,
Title: Re: rapidssl certificate installation
Post by: cactus on August 11, 2011, 07:09:12 PM: Quote from: kruhm on August 11, 2011, 06:39:38 PM
The email clients were giving generic responses:
"Certificate is not trusted, because it hasn't been verified by a recognized authority."
That seems that it might still be taking the self-signed certificate generated by SME Server on install.

Quote from: kruhm on August 11, 2011, 06:39:38 PM
Here's the test:
Code: [Select]
echo GET | openssl s_client -connect server.tld:443
Here's the response:
Code: [Select]
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0
Is that really the full result? Even for my self-signed certificate I get a lot more output. What is the output of:

Code: [Select]
config show modSSL
I take it you already had a look at these:
http://wiki.contribs.org/Certificate
http://wiki.contribs.org/Certificates_Concepts
Title: Re: rapidssl certificate installation
Post by: Stefano on August 11, 2011, 07:11:12 PM: Quote from: cactus on August 11, 2011, 07:09:12 PM
What is the output of:

mmmhh... Cactus, did you forget something here? :-)
Title: Re: rapidssl certificate installation
Post by: cactus on August 11, 2011, 07:12:23 PM: Quote from: Stefano on August 11, 2011, 07:11:12 PM
mmmhh... Cactus, did you forget something here? :-)
Oops, yes. Corrected.
Title: Re: rapidssl certificate installation
Post by: Stefano on August 11, 2011, 07:13:43 PM: Quote from: cactus on August 11, 2011, 07:12:23 PM
Oops, yes. Corrected.

check the syntax.. I can't see anything
Title: Re: rapidssl certificate installation
Post by: kruhm on August 11, 2011, 07:34:41 PM: I have the rapidssl cert & chainfile installed. The crt is the one issued to me by rapidssl (obviously) & the chainfile is one published by rapidssl here:
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem

Code: [Select]
[root@server ssl.crt]# config show modSSL modSSL=service CertificateChainFile=/home/e-smith/MySSL/ssl.crt/RapidSSL_CA_bundle.pem CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM TCPPort=443 access=public crt=/home/e-smith/MySSL/ssl.crt/server.tld.crt key=/home/e-smith/MySSL/ssl.key/server.tld.key status=enabled
Thanks again,
Title: Re: rapidssl certificate installation
Post by: kruhm on August 11, 2011, 11:28:25 PM: Adding info to bug: http://bugs.contribs.org/show_bug.cgi?id=4450
Title: Re: rapidssl certificate installation
Post by: kruhm on August 12, 2011, 04:22:20 AM: Hi Everyone,

Just as a follow up, the only way I could resolve this is to concat the server.crt, intermediate.crt & the root.crt together into a single ca_bundle.crt.

Code: [Select]
openssl x509 -inform PEM -in "server.crt" -text > ca_bundle.crt openssl x509 -inform PEM -in "RapidSSL_CA_bundle.pem" -text >> ca_bundle.crt openssl x509 -inform PEM -in "GeoTrust_Global_CA.cer" -text >> ca_bundle.crt
Then change the CONFIG DB to remove the CertificateChainFile & use the ca_bundle.crt & signal events to expand & restart:
Code: [Select]
config delprop modSSL CertificateChainFile config setprop modSSL crt /home/e-smith/path/to/your/crt/ca_bundle.crt signal-event domain-modify signal-event email-update
Corrections, direction & advice are always welcome.

Thanks for listening,