[TriLUG] mail.trilug.org server cert issue

Joseph S. Tate dragonstrider at gmail.com
Wed Jan 7 08:15:10 EST 2015 

Alan, Check back now in thunderbird. The mozilla project is starting
to enforce a certificate domain indexing service (which has some
forgettable acronym so I can't point you to it). When I renewed
StartSSL certs this week, it took a long time for them to list the new
cert in their public index, so I was getting nastygrams in firefox and
"possibly insecure" warnings when looking at the connection in chrome.
When I went back the next morning though the errors were gone.

Basically, thanks to public key indexes, you can no longer
procrastinate renewing certificates, so CAs get marginally extra
revenue (since they don't extend the existing cert when you renew, so
you lose an extra day or so, when you paid for a whole year).

I'll also answer questions on installing or renewing certs if anyone
has specific questions.

For David, look at your initscript that starts your mail server. It'll
give you hints as to how the selfsigned certificates were originally
generated (maybe as a dependency). You may be able to just move the
existing certs out of the way (check your sendmail configuration for
file locations), and then restart the service.

For others, to generate a self signed certificate that matches your
system (instead of using dummy data), here's a quick recipe:

# Create a 2048 bit key in the www.key file. No passphrase. (add -des3
to be prompted to protect with a passphrase, which is a good idea on a
shared computer, but harder to use on a headless box)
openssl genrsa -out www.key 2048

# Create a certificate signing request (answer all the questions,
where it asks for public name put in the FQDN of the server, e.g.,
mail.example.com)
openssl req -new -key www.key -out www.csr

# Then you can sign it:
openssl x509 -days 365 -in www.csr -signkey www.key -out www.crt

Point your mail/web/other server config file to the new files, and restart them.

If you're using a real Certificate Authority like startssl (which is
free for non-commercial purposes), Comodo, GoDaddy, or any of the
others, take the csr from step 2 and submit it to the CA. You'll get
back from them the .crt file. The CA will have instructions on how to
install any intermediate certificates if required (usually required
unless you buy from verisign).

On Mon, Jan 5, 2015 at 8:34 PM, Alan Porter <porter at trilug.org> wrote:
>
> To follow up, I put the possibly-messed-up* certificates in place
> for dovecot and postfix, verified that all three files looked OK:
> (1) mail.trilug.org-startssl.crt (www.trilug.org CSR signed by startcom)
> (2) mail.trilug.org.key (the key used to generate #1), unencrypted
> (3) startcom-ca.pem (startcom's certificate authority cert)
>
> I restarted the services, and everything looks OK from the server
> perspective.  Both services are running OK, accepting TLS connections,
> receiving and serving mail.
>
> What I was *not* able to resolve was on Thunderbird my Mac.  When I
> opened my trilug.org mail, it gave me the standard certificate error,
> even though I have the StartCom CA certificate imported into t-bird
> and also into the Mac keychain.
>
> Sending and receiving from my iPhone worked fine.
>
>
> So I will conclude that:
> - The certificates work.
> - I still don't understand Thunderbird.
>
>
> Alan
>
>
> * "possibly-messed-up" means we answered the questions incorrectly
> when creating the CSR, so the Common Name was wrong inside the CSR.
> But we entered the correct names on the StartCom web site, and so
> it ignored the CN and SAN included in the CSR and just used the
> values from the web form (CN=mail.trilug.org, SAN=trilug.org).
>
>
>
>> We meant to make a new cert for mail.trilug.org, but the
>> CSR we submitted was for www.trilug.org.  It overwrote the
>> domain and the subjectAltName fields, and so it looked OK,
>> but then we saw some bounces somewhere, and to be conservative,
>> we switched it back quickly so we could look closer later.
>>
>> Alan
>>
>>
>>
>>
>
> --
> This message was sent to: Joseph Tate <dragonstrider at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/dragonstrider%40gmail.com
> Welcome to TriLUG: http://trilug.org/welcome



-- 
Joseph Tate

More information about the TriLUG mailing list