Opened 4 years ago

Last modified 4 years ago

#9846 assigned Bug/Something is broken

ssl certificate for mail.laneta.apc.org to be installed in mx1.m.o

Reported by: https://id.mayfirst.org/erq Owned by: https://id.mayfirst.org/ross
Priority: High Component: Tech
Keywords: x509 ssl mx1-email Cc: servicios@…, pedrogellert@…
Sensitive: no

Description (last modified by https://id.mayfirst.org/erq)

hola Ross y Dana,

Renewing the x509 certificate I found a difficulty following up the howto in our wiki

cause step 3h talks about files that actually were not delivered by comodo.com (also named ssls.com)

According to the email received those are:

Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - mail_laneta_apc_org.crt

All of them are already in /etc/ssl/temp

Could you help me figuring out if:

"PositiveSSLCA2.crt" corresponds to mail_laneta_apc_org.crt ?

also, is mail_laneta_apc_org.crt is the "primary certificate" ?

Thanks in advance Enrique

Attachments (2)

warning-ssl-server-certificate.png (33.1 KB) - added by https://id.mayfirst.org/erq 4 years ago.
ssl-server-certificate.png (50.4 KB) - added by https://id.mayfirst.org/erq 4 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 4 years ago by https://id.mayfirst.org/erq

  • Owner set to https://id.mayfirst.org/ross
  • Status changed from new to assigned

comment:2 Changed 4 years ago by https://id.mayfirst.org/erq

  • Description modified (diff)

comment:3 Changed 4 years ago by https://id.mayfirst.org/ross

Hi Enrique,

That documentation is now out of date :-(. After heartbleed, Comodo changed how they deliver certificates. You'll need to include both COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt in the mail.laneta.apc.org.crt.

So you could do:

# cat COMODORSAAddTrustCA.crt >> mail.laneta.apc.org.crt && cat COMODORSADomainValidationSecureServerCA.crt >> mail.laneta.apc.org.crt

Then I think you'll have to do:

cat mail.laneta.apc.org.crt >> /PATH/TO/YOUR/.pem/FILE

That should do it. I'll try to remember to update the documentation.

~/ross

comment:4 follow-up: Changed 4 years ago by https://id.mayfirst.org/erq

do you mean this file located in the private folder, right?

cat mail.laneta.apc.org.crt >> ../private/mail.laneta.apc.org.pem

comment:5 Changed 4 years ago by https://id.mayfirst.org/erq

i should try the rest of the process, 3i and so on, right?

comment:6 in reply to: ↑ 4 Changed 4 years ago by https://id.mayfirst.org/ross

Replying to https://id.mayfirst.org/erq:

do you mean this file located in the private folder, right?

cat mail.laneta.apc.org.crt >> ../private/mail.laneta.apc.org.pem

Yep that's what I meant.

Changed 4 years ago by https://id.mayfirst.org/erq

Changed 4 years ago by https://id.mayfirst.org/erq

comment:7 Changed 4 years ago by https://id.mayfirst.org/erq

Ross, i think it is done. Apparently, I get a good handshake report:

0 mx1:~# gnutls-cli --port imaps mail.laneta.apc.org
Resolving 'mail.laneta.apc.org'...
Connecting to '209.234.253.242:993'...
- Certificate type: X.509
 - Got a certificate list of 1 certificates.
 - Certificate[0] info:
  - subject `OU=Domain Control Validated,OU=PositiveSSL,CN=mail.laneta.apc.org', issuer `C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2014-07-29 00:00:00 UTC', expires `2019-07-28 23:59:59 UTC', SHA-1 fingerprint `9806fd2f4e2d9bac9548a81b0f7a20525bce1a82'
- The hostname in the certificate matches 'mail.laneta.apc.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN] Courier-IMAP ready. Copyright 1998-2010 Double Precision, Inc.  See COPYING for distribution information.
- Peer has closed the GNUTLS connection
0 mx1:~#

But, my email client is showing a warning, although the information about the new certificate that server is sending is correct.

(forget what I just wrote)

Now, I'm becoming aware that there was probably a mistake I made when issuing the certificate with the server name mail.laneta.apc.org instead of mx1.mayfirst.org

:(

comment:8 Changed 4 years ago by https://id.mayfirst.org/erq

Norma y Pedro, ¿podrían confirmar si ahora pueden hacer uso del correo como normalmente lo hacen?

tendrán que verificar que su programa está configurado con el servidor de entrada 'mail.laneta.apc.org', conexión SSL o SSL/TLS, puerto 995

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.