SSL not working, wrong certificates

Discussion in 'Linux VPS/Dedicated - cPanel' started by jjthomas, Jan 28, 2007.

  1. jjthomas

    jjthomas New Member

    I use Outlook to connect to get my mail, via SSL. Everytime I start Outlook and try to get my mail I get an "Internet Certificate Warning" popup box. That says:
    "The server you are connected to is using a security certificate that cannot be verified. A certificate chain processed but terminated in a root certificate which is not trusted my the trust provider"

    The certificate was created on 01/08/2007. However the certificate I created was created on 01/28/2007. Although the name is correct, it is not the certificate I created. When I look at the details in the error certificate, nothing matches the certificate I created. I can click "Yes" to the question "Do I want to continue using this server?" and Outlook continues. Everything works fine as long as I don't shut Outlook down. When I restart Outlook I get the same error box.

    I have search the cPanel forum and documentation and have not been able to come up with a clear solution. There was a suggestion that one should purchase a certificate to resolve this type of problem, but the follow up messages did not indicate that a commercial certificate resolved the problem. And since that this is not used in a business, I don't feel too compelled too fork over $100+ to tell me that I am me.

    To further confuse the situation, when I sign in to my Virtuozzo panel, I am presented with a different certificate that was issued to "SomeOrganization" none of the details of this certificate match any of the details of the certificate I created. Also I puTTY'ed in and looked at various certificates and cannot find a certificate that match any of the details that are presented in the certificate I receive when I access my email via pop3 SSL/TLS.

    When I log into the cPanel, WHM I get what appears to be the same certificate presented when I log via Outlook to retrieve my mail.

    I have created, deleted and recreated the certificates, I can never get the certificated I have created to show when I connect to my mail or web server.

    I am not sure if this is related, but I cannot establish any SSL connections to my domains. The Virtuozzo, WHM and cPanel which I connect to via the secure ports, all seem to work fine.

    What should do to make all this work? :confused:

    Thanks.

    -JJ
     
  2. khiltd

    khiltd New Member

    First you need to generate a certificate authority and use that CA to sign a second certificate which will bear the name of your mail server (do this through openssl directly and do not bother with WHM's certificate generator at all). Put that second certificate somewhere that Exim and Courier can get to it, and configure them to use it.

    For Exim, you'll do this through WHM's configuration editor. If you try to edit the file directly your changes will be wiped out the next time cPanel upgrades itself. Assuming you put your cert in /etc, you'd add something like

    Code:
    tls_certificate = /etc/ssl/yourcert.crt
    tls_privatekey = /etc/ssl/private/yourkey.key
    
    up at the top, and make sure daemon_smtp_ports is set to include port 587 (it should by default). Save your changes and Exim should restart TLS/SSL ready.

    For Courier, there is no WHM interface, so you have to edit its config file directly if you want to use SSL with POP connections as well. Making the same assumption as above, insert this into /usr/lib/courier-imap/etc/pop3d-ssl
    :

    Code:
    TLS_CERTFILE=/etc/ssl/yourcert.crt
    Restart Courier manually, and it should be up and running TLS, too.

    Now to actually get your email client to accept these things, you'll need to add the CA you created in the first step to some list somewhere that varies by operating system. I have no idea how anything works on Windows or Outlook, so I can't help you with that part. If you really can't get it to work, then spending the $20 for a certificate that comes from an already recognized CA is your safest bet.
     

Share This Page