LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > *BSD
User Name
Password
*BSD This forum is for the discussion of all BSD variants.
FreeBSD, OpenBSD, NetBSD, etc.

Notices


Reply
  Search this Thread
Old 11-15-2020, 10:06 PM   #1
mEllis
LQ Newbie
 
Registered: Nov 2008
Location: American Fork, UT, USA
Distribution: Slackware 14.2
Posts: 10

Rep: Reputation: 0
Update SSL Certificate on Email Client from Email Server


Hello,

Not sure if this is the correct sub-forum for this question, but I have successfully set up an email server using OpenBSD 6.7, but at the time I set it up, I didn't set up renewal of the SSL certificate as a cronjob (I have since repented and have it renewing), so the SSL cert expired and ever since (even though I renewed the SSL), my email client, Claws-Mail, keeps saying my SSL certificate is expired and asks me to accept use of the expired cert. Mutt does the same thing. I can still send and receive email, but the warnings about the certificate are annoying since I know that I renewed it and it's current.

I have tested my mail server on SSLlabs and it says that it's an 'A.' I just want to know if there is a way to import my latest certificate to my email client so that it recognizes the new certificate?

Thank you in advance for any assistance.

- Michael
 
Old 11-16-2020, 02:07 AM   #2
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,842
Blog Entries: 9

Rep: Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642
Quote:
Originally Posted by mEllis View Post
Claws-Mail, keeps saying my SSL certificate is expired and asks me to accept use of the expired cert. Mutt does the same thing.
Is your operating system up-to-date?

Have you tried adding the email address in question as a new account, just to test if that works as expected?
 
Old 11-16-2020, 09:49 AM   #3
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,450

Rep: Reputation: 924Reputation: 924Reputation: 924Reputation: 924Reputation: 924Reputation: 924Reputation: 924Reputation: 924
Since multiple clients have problems, it sounds like there is still an issue with the server certificate. Check it with openssl using:

Code:
openssl s_client -showcerts -starttls imap -CApath /etc/openssl/certs -connect server.domain.com:139
Replace the protocol and server name/port with the correct values. Here is the start of the output for www.google.com showing that it verified a 3-certificate chain (root, intermediate, www.google.com):

Code:
 openssl s_client -showcerts -CApath /etc/openssl/certs -connect www.google.com:443
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
verify return:1
---
 
Old 11-16-2020, 11:22 PM   #4
mEllis
LQ Newbie
 
Registered: Nov 2008
Location: American Fork, UT, USA
Distribution: Slackware 14.2
Posts: 10

Original Poster
Rep: Reputation: 0
Update SSL Certificate on Email Client from Mail Server

Quote:
Originally Posted by ondoho View Post
Is your operating system up-to-date?

Have you tried adding the email address in question as a new account, just to test if that works as expected?
Ondoho, Yes, the BSD server has its syspatches and programs up to date for 6.7. And, within Claws-Mail, I deleted my account and reconnected it, thinking it would pick up the updated certificate.

Smallpond, I tried the command line bit you gave me with port 143, which is my receiving mail port, and it reported that the certificate is expired. I tried the same line on my smtp port 587 and it hung, do I need to change imap to smtp? At any rate, it's very confusing because ssllabs says it's all right, and if I go to mail.mydomain.com and click on the security lock thingy and look at the certificate, it says it's good until February 9, 2021.

Thank you both for replying!
 
Old 11-17-2020, 02:39 AM   #5
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 15,842
Blog Entries: 9

Rep: Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642Reputation: 4642
Quote:
Originally Posted by mEllis View Post
Claws-Mail, keeps saying my SSL certificate is expired and asks me to accept use of the expired cert.
I just tried claws-mail on my laptop: it informs me of a changed certificate, and whether I want to accept it or not. So, clearly a different message from what you're seeing.
That leads me to believe that smallpond is correct to suspect a server-side problem with the cert.
 
Old 11-17-2020, 02:06 PM   #6
mEllis
LQ Newbie
 
Registered: Nov 2008
Location: American Fork, UT, USA
Distribution: Slackware 14.2
Posts: 10

Original Poster
Rep: Reputation: 0
I agree. There's definitely something going on where for my website and my mail server the SSL seems current and intact, but then mail clients don't recognize the mail server SSL certificate as valid.

To set my mail server up, along with the SSL, I basically followed the instructions at here and here, with some deviation. When the SSL cert expired on the mail server, I followed the instructions again in the latter site to get a new certificate. Obviously, that didn't work for email clients. What is the proper way of using the acme to remove the expired certificate and get a new one?

Looking at the listing in the /etc/ssl directory, it's apparent that my mail.mydomain.com.crt is still dated from July, while my mail.mydomain.com.fullchain.pem is Nov 11, which indicates to me that for the .pem, my crontab job is working. For my domain proper, the mydomain.com.fullchain.pem is dated Nov 16, which also indicates the cron job is working. Do I just need to remove the old certificate? The .crt file? The .key files in the private folder, however, are still dated from June. It appears that my acme-client.conf is pointing to the .pem files and the .key files, and my httpd.conf is too. Maybe the .crt file in the /etc/ssl is messing things up?

Any help is much appreciated. Thank you.
 
  


Reply

Tags
email, mail-client, server, ssl authentication


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Fetchmail and Server certificate verification error: unable to get local issuer certificate Mr486 Linux - Software 2 08-12-2018 09:20 AM
SSL certificate generation question - No certificate matches private key etcetera Linux - General 1 04-10-2017 02:28 PM
How to import/use CAcert SSL root certificate to use SSL with Xchat IRC client? GrapefruiTgirl Linux - Software 9 04-05-2011 10:54 AM
Apache with SSL does not load the 2nd SSL certificate janstapel Linux - Newbie 1 06-17-2010 10:32 PM
ssl using server and client certificate. Which key used for encryption? lievendp Linux - Security 2 12-07-2006 07:22 AM

LinuxQuestions.org > Forums > Other *NIX Forums > *BSD

All times are GMT -5. The time now is 10:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration