Forums

Resolved
0 votes
I am using ClearOS Community release 6.9.0 (Final) and I am getting a certificate warning when I login to Outlook. I states that my localhost.localdomain certificate is out of date, witch it is. Outlook works fine but, I have answer yes to two popup warnings about the certificate not being able to be verified.

When I open the Clear OS console and choose Certificate Manager under System, I do not see an option to edit the certificates that are already there nor do see an option to create a new certificate. I know a little bit more than nothing about certificates so I pretty sure I'm doing something wrong.

Any help on how to get the options to edit or create certificates would be appreciated.
Sunday, January 28 2018, 02:38 PM
Share this post:
Responses (23)
  • Accepted Answer

    Wednesday, October 03 2018, 07:40 PM - #Permalink
    Resolved
    0 votes
    @Nick
    Thanks for the head's up. I've never installed it or noticed it to tell the truth. We've always just used what is installed natively for Webconfig/Webaccess/Webapp. I'll give it a look-see.

    @Drew
    Understand completely. I was primarily sharing should anyone else run into it. Keep rockin' on!
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, October 03 2018, 07:26 PM - #Permalink
    Resolved
    0 votes
    @Shannon,
    In ClearOS 7.x, if you have commercial certificates imported through the Certificate Manager or Let's Encrypt certificates, you can use them in the Web Server just by selecting them from a dropdown in the Web Server app. No need to edit any files.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, October 03 2018, 07:00 PM - #Permalink
    Resolved
    0 votes
    Thanks Shannon,

    Good info! But if EAS (Outlook) is going to gripe anyway, there's probably no need for me to touch it. It seems time for me to look for an alternate solution to Zarafa. I don't have the time or skills to deal with problems, and I can't justify upgrade costs and potential snags to get to Kopano. No COS gripe here, I think it has just outgrown me.

    Drew VS
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, October 03 2018, 06:38 PM - #Permalink
    Resolved
    0 votes
    Glad you found you could where to point to the certs, Drew. I've been re-issuing certs on our COS 6 and 7 boxes. Activesync and Webapp use the webserver to communicate to Zarafa server and the certs are located in /etc/pki/tls/certs/ directory. Just create the certs in it from Nick's example.

    Edit the following lines in /etc/httpd/conf.d/ssl.conf, replacing the "localhost.crt" and "localhost.key" with your newly created ssl privateKey.key and certificate.crt in Nick's example

    SSLCertificateFile /etc/pki/tls/certs/certificate.crt
    SSLCertificateKeyFile /etc/pki/tls/private/privateKey.key

    then restart httpd for it to use the new ssl certs....

    service httpd restart

    ActiveSync and browsers still gripe about the self-signed. If you use "trusted" third party certs or Let's Encrypt certs, here as well.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 02 2018, 11:15 AM - #Permalink
    Resolved
    0 votes
    Hi Nick.

    Sorry, my last replay seemed to have dropped. On your earlier suggestion I pointed both certificates to the remaining server.pem and that worked, so I am back up again. Yay! I think I accidentally overwrote one of the two backups which is why I could not get back cleanly. This solution is good enough, I think.

    Per incident support, if I am reading it correctly, is just unaffordable for a home user. But good to know it is there.

    Thanks for all,
    Drew VS
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 02 2018, 07:11 AM - #Permalink
    Resolved
    0 votes
    Per incident support is available to anyone.

    To inspect certificates, rather than look at the file date, you have to do:
    openssl x509 -text -noout -in your_certificate_file
    This works with CA and server certificates but not with keys. This will show you various bits on info including the valid to and from dates.

    Did you keep backups of your old certificates? If everything is stored under /etc, a Configuration Restore to an earlier date may well work.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 01 2018, 09:52 PM - #Permalink
    Resolved
    0 votes
    Nick,

    I don't know if any of those certs are up to date. The CA file date is 2013 so I am guessing not. But I have no idea how to update them, create them or do much of anything, and now messing around I've broken email which I critically need. I'm starting to think that ClearOS basic maintenance is now beyond me in a way that it was not in earlier versions. I was hoping for a menu level tool for this kind of thing....there are just too many pieces and options for me to get my head around.

    What is my next step in getting help for this? I have to get mail working quickly. Is ClearOS support an option for a home user?

    Thanks,
    Drew
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 01 2018, 01:07 PM - #Permalink
    Resolved
    0 votes
    I am still getting my mind round certificates. What I had been trying to establish earlier was if Zarafa, by default, used self-signed certificates and the ones you pointed me to did. If you have a ca-cert as well then the main certificate is not self-signed. In that case you may be able to get away with pointing the ca-cert entry and the certificate entry both to the same certificate file. A key fine is a key file all the time ......... except you can actually combine the ca, cert and key all into a single file if you really want! Confusing?

    If your system certificates are in date, you should be able to just use them (/etc/pki/CA/ca-cert.pem, /etc/pki/CA/sys-0-cert.pem and /etc/pki/CA/private/sys-0-key.pem), but I'd try using the same certificate for ca and cert first.

    If you need to regenerate your system certificate, I believe you can just delete it (but not your CA). The problem is that these won't then flow out into the other certificates which are all over the place. You can delete your CA as well but you'll need to then regenerate all OpenVPN certificates and any certificates which were signed by the CA.

    Ultimately it only seems to be Outlook which is really picky and I thought you had to revalidate it every time you restarted it if you had a self-signed certificate. In ClearOS 7 you can get round it by using Let's Encrypt certificates which have a valid officially recognised CA. You are a bit more on your own getting Let's Encrypt to work in ClearOS 6.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 01 2018, 12:32 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick...good hints. I did find a folder called "server.cfg" that pointed to those files. That directory had a cacert.pem and a server.pem. I don;t know what I am doing here, but I used the previous privkey.pem to create a new server.pem the same way you said before. When I replaced it and restarted zarafa, the server component always failed to start. So I put it back to the backup and it was ok.

    I tried it a second time using cacert.pem as the key file...if that makes any sense? And it failed again. But this time, when I put the backup back, it still won't run. The zarafa server component is dead at this point.

    Do you have a suggestion where I go from here for help? I thought I was in over my head here, and I apparently am! It seems like I need to rebuild all the certs generally and have no idea how to do so. There doesn't seem to be any info in ClearOS docs on how a (unsophisticated) user can do this. I guess the assumption is that everyone upgrades sooner than that. I don't feel I can as the process is too manual now to be workable by someone like me.

    Many Thanks,
    Drew
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 30 2018, 09:03 PM - #Permalink
    Resolved
    0 votes
    I have no idea. I don't have Zarafa or Outlook. You can try updating those certs as well, but back them up first. I have a feeling that Zarafa has multiple config files. You could try something like:
    grep "/etc/zarafa/ssl/" /etc/zarafa/* -r
    to see if the folder is used anywhere, or just replace them (making backups, of course).
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 30 2018, 08:42 PM - #Permalink
    Resolved
    0 votes
    Nick,

    I see two certificates in /etc/zarafa/ssl from 2013. Could those be it? They dont seem to be pointed to in the config file.

    Drew
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 30 2018, 08:40 PM - #Permalink
    Resolved
    0 votes
    Nick,

    I took some initiative and copied the same key and cert to Postfix and replaced the old ones there, in case that was it. Outlook keeps giving the same error, and when I look at the cert in its error window, it is still some old one from 2013. Do you have any idea where it might be finding that? I dont see it in Zarafa or Postfix.

    Thanks,
    Drew
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 30 2018, 08:17 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick,

    I've done all that with no resulting errors. But when Outlook starts, I get the same message:

    - Cert issues by a company I have not chosen to trust
    - Cert is expired or not yet valid.

    Outlook for not ask for any new item. This is Outlook 2016 using Zarafa (via EAS I believe) if that matters.

    Thanks,
    Drew
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 30 2018, 07:52 PM - #Permalink
    Resolved
    0 votes
    That is good. It is a self-signed certificate so we ton't have to work out the CA.

    You should be able to just back up your current certificates and replace them with:
    cd /etc/zarafa/gateway
    mv privkey.pem privkey.pem.old
    mv cert.pem cert.pem.old
    openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout privkey.pem -out cert.pem
    Then restart Zarafa.

    Your clients should prompt you to accept a new POPS/IMAPS certificate. On some like K-9 mail you may have to "re-test" your connection If you also have SMTPS problems, copy your new certificates to the correct postfix location as mentioned somewhere in the thread.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 30 2018, 07:33 PM - #Permalink
    Resolved
    0 votes
    Nick,

    Yes, you are right...I apparently cut it off. Here is the rest, thanks!

    X509v3 Basic Constraints:
    CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
    b4:7c:b3:f6:ed:ae:bc:d2:95:7a:60:50:a4:db:33:f9:b1:5f:
    2c:75:45:8d:21:18:e5:58:fa:c4:65:57:60:ee:d9:ce:a6:4f:
    34:84:40:7f:9a:fa:d5:9b:be:50:22:42:c5:40:d1:52:3f:e0:
    e9:94:4d:01:a9:95:41:1c:83:8e:e8:5e:94:19:50:db:df:d7:
    40:96:2d:ae:a7:ec:a4:57:09:c7:af:05:7c:2f:42:80:ee:a4:
    89:d7:ed:3b:71:36:9a:16:ec:e0:82:24:6f:ad:05:60:65:cd:
    30:c5:c7:a8:f1:85:da:16:09:d6:07:e8:f8:78:6e:c9:09:ce:
    7d:6e
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 30 2018, 06:46 PM - #Permalink
    Resolved
    0 votes
    It looks like you have cut the certificate output short. I am hoping you have a couple of lines:
                X509v3 Basic Constraints:
    CA:TRUE
    But I'm sure there should be some more output.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 30 2018, 06:14 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    For the first item, I have:

    # File with RSA key for SSL
    ssl_private_key_file = /etc/zarafa/gateway/privkey.pem

    #File with certificate for SSL
    ssl_certificate_file = /etc/zarafa/gateway/cert.pem

    and

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 1367089846 (0x517c22b6)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=CA, L=Toronto, O=ClearOS, OU=ClearOS, CN=system.lan/emailAddress=noreply@localhost
    Validity
    Not Before: Apr 27 19:10:46 2013 GMT
    Not After : Jul 14 19:10:46 2021 GMT
    Subject: C=CA, L=Toronto, O=ClearOS, OU=ClearOS, CN=system.lan/emailAddress=noreply@localhost
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (1024 bit)
    Modulus:
    00:f3:eb:48:56:c1:46:4c:c1:a3:53:e1:9f:7b:09:
    ce:8e:f7:df:01:2a:66:1b:b0:9a:ba:ef:45:7b:b5:
    03:96:7d:d3:46:45:06:66:35:98:2b:04:67:b0:d1:
    29:07:96:ff:ff:bb:e8:ab:58:13:49:dc:e3:18:57:
    14:35:f9:69:47:8b:39:a9:f9:ff:b2:9f:f3:c8:39:
    e5:a2:cb:6b:93:a1:47:cb:05:2d:96:c9:cd:e8:34:
    ff:b1:7e:49:99:61:69:cc:93:27:b9:ba:c6:af:3f:
    ca:76:93:16:42:2e:23:8d:f7:93:40:b8:aa:88:e8:
    01:c6:1f:d3:89:ab:db:43:d9
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Subject Key Identifier:
    5F:A8:C7:D0:35:52:C1:37:4C:06:F8:27:06:A3:4E:DD:78:B4:6D:95
    X509v3 Authority Key Identifier:
    keyid:5F:A8:C7:D0:35:52:C1:37:4C:06:F8:27:06:A3:4E:DD:78:B4:6D:95
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 27 2018, 09:18 PM - #Permalink
    Resolved
    0 votes
    I don't know Zarafa or Kopano at all. Please can you check you have certificate and key files. Go into /etc/zarafa/gateway.cfg and look at the files pointed to by:
    ssl_private_key_file = 
    ssl_certificate_file =
    Please give the file names. Also give the output to:
    openssl x509 -text -noout -in your_zarafa_cerificate_file_name_including_path
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 27 2018, 08:27 PM - #Permalink
    Resolved
    0 votes
    Nick,

    Tanks for the info, but I'm afraid I know almost nothing about the topic so I don't follow your answer. Where could I find a step by step on how to create any needed certs and put them in the right place? I'm not even clear on what goes on the server vs the PC, etc. I really need a primer somewhere to study.

    Thanks,
    Drew VS
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, September 27 2018, 07:27 AM - #Permalink
    Resolved
    0 votes
    Certificate locations are mentioned in the Let's Encrypt doc. I am not sure about the CA path or if it is necessary for a self-signed cert. You may have to inspect your current certificate with openssl. You can either overwrite them (but take backups first) or create new ones and point the config file to them. Check the permissions match the old ones.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 26 2018, 09:08 PM - #Permalink
    Resolved
    0 votes
    Nick,

    I am having the same problem, but I am using Zarafa communityand ClearOS v6. How would I do the same thing for Zarafa?

    Thanks!
    Drew Vonada-Smith
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 28 2018, 05:41 PM - #Permalink
    Resolved
    0 votes
    This is great. Thanks for the information. At least I know I'm not crazy.

    I am using IMAP and you are correct in assuming that both it and SMTP are the free versions. I am actually getting two certification warnings back to back as soon as Outlook opens so, maybe one is for IMAP and the other is for SMTP? This is just a guess based on the fact that, if I answer No to both warnings, I can not send or receive emails and if I answer Yes, sending and receiving work fine.

    I will try your solution and post back with the results.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, January 28 2018, 03:31 PM - #Permalink
    Resolved
    0 votes
    You're not doing anything wrong and Outlook appears to be quite picky about its certificates. Is this for imap or smtp. Do you which mail apps you are running? Probably the SMTP Server (postfix), then either IMAP and POP Server (cyrus-imapd), Kopano or Zarafa

    If you are running the free packages you'll have postfix and cyrus-imapd. If so, go the the command line then:
    cd /etc/pki/cyrus-imapd
    mv cyrus-imapd.pem cyrus-imapd.pem.old
    openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
    cp privateKey.key cyrus-imapd.pem
    cat certificate.crt >> cyrus-imapd.pem
    This will give copy your current certificate to *.old and give you a new self-signed certificate and key valid for 10 years. I then copy the certificate and key into a single file as that is how cyrus-imapd is set up at the moment. Then restart cyrus-imap either from the webconfig or from the command line with a "service cyrus-imapd restart"

    If the Outlook is then complaining about your SMTP certificate, they are:
    /etc/postfix/key.pem
    /etc/postfix/cert.pem

    Back these files up and you can then use the same .key and .crt files you created earlier by just copying them over and renaming them.

    Note, in reality, for all of these you can use different certificate and key file names and just change the configuration files to point to the new certificates.

    [edit]
    I forgot to add, postfix and cyrus-imapd do not use certificates managed by certificate manager.
    [/edit]
    The reply is currently minimized Show
Your Reply