Updated my Dovecot certificate for the first time
Hi all,
I've used Dovecot since February 2012, but because I kept reinstalling Linux with every major version, I never had a Dovecot self-signed certificate go bad on me before. Til now.
I started using rolling release Void Linux about a year ago, and my Dovecot self-signed certificate just expired.
The solution I used is contained in these documents:
http://wiki2.dovecot.org/SSL/CertificateCreation
http://wiki2.dovecot.org/SSL/CertificateClientImporting
file:///etc/ssl/dovecot-openssl.cnf
http://www.faqforge.com/linux/renew-the-dovecot-ssl-certificate-on-ubuntu-li...
I basically moved my old /etc/ssl/certs/dovecot.pem and /etc/ssl/private/dovecot.pem, then edited /etc/ssl/dovecot-openssl.cnf specifically to give myself the common name of 192.168.100.2. I had earlier used my hostname, but that produced a conflict, so I just used the ip address.
Then I ran dovecot-mkcert.sh to create the new self-signed cert, and finally, configured Claws-Mail to use /etc/ssl/certs/dovecot.pem as its cert. Obviously, if my Claws-Mail were on a different machine than my Dovecot, I would have had Claws-Mail point to a local copy.
Alpine still gives me a bad cert warning, saying I should either fix it or disable checking. I haven't yet found a way to get Alpine to discriminate between a valid self-signed cert and a bad one.
Anyway, all's good.
SteveT
Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz
On Wed, 23 Nov 2016, Steve Litt wrote:
[snip]
Alpine still gives me a bad cert warning, saying I should either fix it or disable checking. I haven't yet found a way to get Alpine to discriminate between a valid self-signed cert and a bad one.
Like a number of applications, alpine checks the system certificates directory for a file containing the server certificate to be validated that's named according to its x509 hash. If it finds it, it trusts it.
I don't know where Linux distros keep their certs, but on FreeBSD it's in /etc/ssl/certs/. If you've no other way to find out, a brute force search of the alpine binary should locate it, e.g.:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
You can fetch the certificate from a remote IMAP server and install it in your system certs directory like this:
# cd /path/to/certs &&
openssl s_client -connect remote.server:143 -starttls imap -showcerts &0 | H=$(openssl x509 -hash -out imap.pem) && ln -sf imap.pem ${H}.0 # ls -l total 5 lrwxr-xr-x 1 root wheel 11 Nov 23 15:34 3a82ab1a.0 -> imap.pem -rw-r--r-- 1 root wheel 1371 Nov 23 15:34 imap.pem
-- Greg Rivers
On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers gcr+dovecot@tharned.org wrote:
On Wed, 23 Nov 2016, Steve Litt wrote:
[snip]
Alpine still gives me a bad cert warning, saying I should either fix it or disable checking. I haven't yet found a way to get Alpine to discriminate between a valid self-signed cert and a bad one.
Like a number of applications, alpine checks the system certificates directory for a file containing the server certificate to be validated that's named according to its x509 hash. If it finds it, it trusts it.
I don't know where Linux distros keep their certs, but on FreeBSD it's in /etc/ssl/certs/. If you've no other way to find out, a brute force search of the alpine binary should locate it, e.g.:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
The directory or the certs isn't the problem. Alpine sees the self-signed cert I just made, but complains because it's self-signed, and gives me the choice between saying "yes" every time, and just not checking for certs at all.
SteveT
Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz
On mercredi, 23 novembre 2016 17.31:50 h CET Steve Litt wrote:
On Wed, 23 Nov 2016 16:04:22 -0600 (CST)
Greg Rivers gcr+dovecot@tharned.org wrote:
On Wed, 23 Nov 2016, Steve Litt wrote:
[snip]
Alpine still gives me a bad cert warning, saying I should either fix it or disable checking. I haven't yet found a way to get Alpine to discriminate between a valid self-signed cert and a bad one.
Like a number of applications, alpine checks the system certificates directory for a file containing the server certificate to be validated that's named according to its x509 hash. If it finds it, it trusts it.
I don't know where Linux distros keep their certs, but on FreeBSD it's in /etc/ssl/certs/. If you've no other way to find out, a brute force search of the alpine binary should locate it, e.g.:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
The directory or the certs isn't the problem. Alpine sees the self-signed cert I just made, but complains because it's self-signed, and gives me the choice between saying "yes" every time, and just not checking for certs at all.
SteveT
Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz
One solution would be to use a Let's Encrypt certificate (that's what I do).
Documentation can be found here :
- https://certbot.eff.org/docs/using.html#standalone
- https://community.letsencrypt.org/t/use-on-non-web-servers/425
-- Simon Doppler (dopsi)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 23 Nov 2016, Steve Litt wrote:
On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers gcr+dovecot@tharned.org wrote:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
The directory or the certs isn't the problem. Alpine sees the self-signed cert I just made, but complains because it's self-signed, and gives me the choice between saying "yes" every time, and just not checking for certs at all.
"sees the self-signed cert"? Did you've added it as trusted to the CA as Greg said and wrote what to do?
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWDaOQ3z1H7kL/d9rAQLRMQgAtKeIMWG+aLn+y9D3EQMUfd21P7oS2xCS 6JuEUo9DfA4DqaoR8f29JiNk9Hjv0LArda3rGCGHKA+XhXrsZLe4FviXJ8ZPxPFp wiA8PnfaXiHi4ctQqz9SjpDr3DpbVlZ/XY563lkQoTlXYrR4ZL9y9wXDqeJKSTth nKwv0ORCi89lVUrRLCZycjZaCJZ9DvuiBftxBl5IUJY8S9/elSgbClcZroF0ej4c ReHp6uiBJzIrtDc3Vm3IfYoUl9C+IpLjhX3C7yQgac28eZ2TbY2tpxycGDOoTTdl saL/qS9MEND6XgKq9pffPcPlTiVWjrwzpHDA2nMbQvloJQ50+gALvA== =uLed -----END PGP SIGNATURE-----
On Thu, 24 Nov 2016 07:52:51 +0100 (CET) Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 23 Nov 2016, Steve Litt wrote:
On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers gcr+dovecot@tharned.org wrote:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
The directory or the certs isn't the problem. Alpine sees the self-signed cert I just made, but complains because it's self-signed, and gives me the choice between saying "yes" every time, and just not checking for certs at all.
"sees the self-signed cert"? Did you've added it as trusted to the CA as Greg said and wrote what to do?
No. I don't want to deal with a third party "Trusted Party": I want it self-signed. What I was looking for was a way Alpine could be set to check for a cert, warn if the cert is conflicting, but not warn if it's self-signed.
Thanks,
SteveT
Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz
On 25/11/16 02:37, Steve Litt wrote:
"sees the self-signed cert"? Did you've added it as trusted to the CA as Greg said and wrote what to do?
No. I don't want to deal with a third party "Trusted Party": I want it self-signed. What I was looking for was a way Alpine could be set to check for a cert, warn if the cert is conflicting, but not warn if it's self-signed.
I used self-signed certs for ages, when I did so, I installed MY OWN root CA in to various machines as needed -- sometimes that meant in multiple locations (one for IE and Chrome in Winblows world and another place for Firefox).
Anyway, that has all stopped now as I use Let's Encrypt certs everywhere without any problems.
My exim4 has the updated cert, the same cert goes to my webserver and gets pointed to for dovecot. No more issues of self-signed certs, I can every have lots of related sub-domains to make it even better without needing lots of different certs.
There is one advantage of using self-signed, that is, you get to trust yourself and the certs 100%, but others won't do so; so, all in all, it is better to use official certs that are widely accepted.
I sure understand that the world of zillions of CAs to trust is a woeful one, but it works better than the trouble of using self-signed certs.
NB: I don't do full auto certs, I have a process where I put servers in maintenance mode and manually update the certs, put them in place and restart all the services that use them.... apache2, exim4, dovecot, ejabber -- all using LE certs.
Cheers AndrewM
Hi Steve,
You could create your own private CA then sign your Dovecot certificate with the CA cert and alpine should then trust it.
Best Regards
Martin
On 2016-11-24 15:37, Steve Litt wrote:
On Thu, 24 Nov 2016 07:52:51 +0100 (CET) Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 23 Nov 2016, Steve Litt wrote:
On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers gcr+dovecot@tharned.org wrote:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
The directory or the certs isn't the problem. Alpine sees the self-signed cert I just made, but complains because it's self-signed, and gives me the choice between saying "yes" every time, and just not checking for certs at all.
"sees the self-signed cert"? Did you've added it as trusted to the CA as Greg said and wrote what to do?
No. I don't want to deal with a third party "Trusted Party": I want it self-signed. What I was looking for was a way Alpine could be set to check for a cert, warn if the cert is conflicting, but not warn if it's self-signed.
Thanks,
SteveT
Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz
What would be the use of a self signed cert that is not automatically checked? If you see a warning how can you be sure that the cryptographic key used is correct? Just manually checking the common name displayed lowers the security to almost zero. A big additional disadvantage is that one gets used to ignoring security warnings.
Setting up a "CA" is quite easy and installing the new root certificate in the root store of the devices used is also quite easy.
I switched to a certificate from startssl and of course I generated the key pair on my own and transferred only the CSR (certificate signing request).
Am 24. November 2016 16:37:48 MEZ, schrieb Steve Litt slitt@troubleshooters.com:
On Thu, 24 Nov 2016 07:52:51 +0100 (CET) Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 23 Nov 2016, Steve Litt wrote:
On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers gcr+dovecot@tharned.org wrote:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
The directory or the certs isn't the problem. Alpine sees the self-signed cert I just made, but complains because it's self-signed, and gives me the choice between saying "yes" every time, and just not checking for certs at all.
"sees the self-signed cert"? Did you've added it as trusted to the CA as Greg said and wrote what to do?
No. I don't want to deal with a third party "Trusted Party": I want it self-signed. What I was looking for was a way Alpine could be set to check for a cert, warn if the cert is conflicting, but not warn if it's self-signed.
Thanks,
SteveT
Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz
-- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 24 Nov 2016, Steve Litt wrote:
On Thu, 24 Nov 2016 07:52:51 +0100 (CET) Steffen Kaiser skdovecot@smail.inf.fh-brs.de wrote:
On Wed, 23 Nov 2016, Steve Litt wrote:
On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers gcr+dovecot@tharned.org wrote:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
The directory or the certs isn't the problem. Alpine sees the self-signed cert I just made, but complains because it's self-signed, and gives me the choice between saying "yes" every time, and just not checking for certs at all.
"sees the self-signed cert"? Did you've added it as trusted to the CA as Greg said and wrote what to do?
No. I don't want to deal with a third party "Trusted Party": I want it self-signed. What I was looking for was a way Alpine could be set to check for a cert, warn if the cert is conflicting, but not warn if it's self-signed.
Er, question: what is a self-signed cert? A cert signed with a CA that is itself.
How can a client trust a cert? Because beginning with the cert presented by the server, the client walks up the cert chain, until it reaches either a missing cert or a trusted cert. In latter case, trust is given -> no warning. In first case, no trust -> warning.
So, because there is just one certificate involved with self-signed certs, you have to follow Greg's advice and make it trusted on your system.
Maybe, Frank-Ulrich's suggestion is even better. Roll your own CA. Mark the CA cert as trusted on your system and sign as many certs with it, as you wish.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBWDfntHz1H7kL/d9rAQJjDAgAj4xJEFD+j9o+UMn+gKOFR/6fqYn/L3kz YwueoBi0+WSZR1rv3V1sZhCsfQDcU7zcrYIwt7ZhxOj9RE0g+20jo0qTPYHrX8ym m0cfv87az/UjZuK2HeKJL6u8ywoGQUQL0TxTiXOCdiQfKQwdPtIYJmtOSmNvyNce NlWNAZEgn1bJRJCbASWDIPypSnBNrAiMssjheEPV8XV7AZYR/ShjnqXCKoxohjY3 DCPwDqe53t3znwoqtAsocecqXVk6oentDiUbrcu9y9zBAeqBR/ScSR+p3+N45l16 NFIkeySHEIqmUiv+iagt6dy+XdFg/Wk6HHzvO3YC4c2S3RSrrUPm7g== =kva+ -----END PGP SIGNATURE-----
participants (7)
-
Andrew McGlashan
-
Frank-Ulrich Sommer
-
Greg Rivers
-
Martin Wheldon
-
Simon Doppler
-
Steffen Kaiser
-
Steve Litt