LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   *BSD (https://www.linuxquestions.org/questions/%2Absd-17/)
-   -   Update SSL Certificate on Email Client from Email Server (https://www.linuxquestions.org/questions/%2Absd-17/update-ssl-certificate-on-email-client-from-email-server-4175685309/)

mEllis 11-15-2020 10:06 PM
Update SSL Certificate on Email Client from Email Server
 
Hello,

Not sure if this is the correct sub-forum for this question, but I have successfully set up an email server using OpenBSD 6.7, but at the time I set it up, I didn't set up renewal of the SSL certificate as a cronjob (I have since repented and have it renewing), so the SSL cert expired and ever since (even though I renewed the SSL), my email client, Claws-Mail, keeps saying my SSL certificate is expired and asks me to accept use of the expired cert. Mutt does the same thing. I can still send and receive email, but the warnings about the certificate are annoying since I know that I renewed it and it's current.

I have tested my mail server on SSLlabs and it says that it's an 'A.' I just want to know if there is a way to import my latest certificate to my email client so that it recognizes the new certificate?

Thank you in advance for any assistance.

- Michael

ondoho 11-16-2020 02:07 AM
Quote:
Originally Posted by mEllis (Post 6185711)
Claws-Mail, keeps saying my SSL certificate is expired and asks me to accept use of the expired cert. Mutt does the same thing.
Is your operating system up-to-date?

Have you tried adding the email address in question as a new account, just to test if that works as expected?

smallpond 11-16-2020 09:49 AM
Since multiple clients have problems, it sounds like there is still an issue with the server certificate. Check it with openssl using:

Code:
openssl s_client -showcerts -starttls imap -CApath /etc/openssl/certs -connect server.domain.com:139
Replace the protocol and server name/port with the correct values. Here is the start of the output for www.google.com showing that it verified a 3-certificate chain (root, intermediate, www.google.com):

Code:
openssl s_client -showcerts -CApath /etc/openssl/certs -connect www.google.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
---

mEllis 11-16-2020 11:22 PM
Update SSL Certificate on Email Client from Mail Server
 
Quote:
Originally Posted by ondoho (Post 6185750)
Is your operating system up-to-date?

Have you tried adding the email address in question as a new account, just to test if that works as expected?
Ondoho, Yes, the BSD server has its syspatches and programs up to date for 6.7. And, within Claws-Mail, I deleted my account and reconnected it, thinking it would pick up the updated certificate.

Smallpond, I tried the command line bit you gave me with port 143, which is my receiving mail port, and it reported that the certificate is expired. I tried the same line on my smtp port 587 and it hung, do I need to change imap to smtp? At any rate, it's very confusing because ssllabs says it's all right, and if I go to mail.mydomain.com and click on the security lock thingy and look at the certificate, it says it's good until February 9, 2021.

Thank you both for replying!

ondoho 11-17-2020 02:39 AM
Quote:
Originally Posted by mEllis (Post 6185711)
Claws-Mail, keeps saying my SSL certificate is expired and asks me to accept use of the expired cert.
I just tried claws-mail on my laptop: it informs me of a changed certificate, and whether I want to accept it or not. So, clearly a different message from what you're seeing.
That leads me to believe that smallpond is correct to suspect a server-side problem with the cert.

mEllis 11-17-2020 02:06 PM
I agree. There's definitely something going on where for my website and my mail server the SSL seems current and intact, but then mail clients don't recognize the mail server SSL certificate as valid.

To set my mail server up, along with the SSL, I basically followed the instructions at here and here, with some deviation. When the SSL cert expired on the mail server, I followed the instructions again in the latter site to get a new certificate. Obviously, that didn't work for email clients. What is the proper way of using the acme to remove the expired certificate and get a new one?

Looking at the listing in the /etc/ssl directory, it's apparent that my mail.mydomain.com.crt is still dated from July, while my mail.mydomain.com.fullchain.pem is Nov 11, which indicates to me that for the .pem, my crontab job is working. For my domain proper, the mydomain.com.fullchain.pem is dated Nov 16, which also indicates the cron job is working. Do I just need to remove the old certificate? The .crt file? The .key files in the private folder, however, are still dated from June. It appears that my acme-client.conf is pointing to the .pem files and the .key files, and my httpd.conf is too. Maybe the .crt file in the /etc/ssl is messing things up?

Any help is much appreciated. Thank you.


All times are GMT -5. The time now is 09:51 PM.