[opensuse] When connecting to my own dovecot server, Alpine complains that it is using self-signed certificates.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, When connecting to my own dovecot server, Alpine complains that it is using self-signed certificates. Yes, I know about the /novalidate-cert/ option in Alpine, but I have to type it on every single folder used anywhere: config, rules, etc. And I forget some. I wonder if I could configure somewhere that my self-signed certificate is correct, signed by me, that I'm a valid authority to sign certificates inside my network. My certificate is here: Telcontar:~ # mc /etc/ssl/certs/ Telcontar:/etc/ssl/certs # l | grep dove lrwxrwxrwx 1 root root 11 Jun 17 00:37 895d2550.0 -> dovecot.pem lrwxrwxrwx 1 root root 11 Jun 17 00:37 906230b5.0 -> dovecot.pem - -rw-r--r-- 1 root root 1058 Jun 15 2013 dovecot.pem and here: Telcontar:/etc/ssl/private # l total 12 drwx------ 2 root root 4096 Aug 13 19:33 ./ drwxr-xr-x 6 root root 4096 Aug 13 19:33 ../ - -rw------- 1 root root 916 Jun 15 2013 dovecot.pem Telcontar:/etc/ssl/private # Do I need something else? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlQDKNQACgkQtTMYHG2NR9Vl3QCfQvnDZyBcAVsg+5LegUKEXpBI F0sAoJCMvuWH+aPmggPNaOQnkyZOOrro =4P29 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/31/2014 09:53 AM, Carlos E. R. wrote:
Do I need something else?
You might try Thunderbird, Seamonkey or other email app. With it, you just accept the certificate once and it works fine. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-08-31 16:07, James Knott wrote:
On 08/31/2014 09:53 AM, Carlos E. R. wrote:
Do I need something else?
You might try Thunderbird, Seamonkey or other email app. With it, you just accept the certificate once and it works fine.
They work. I also want Alpine to work. The equivalent in Alpine is the /novalidate-cert/ option, but has to be applied per folder defined. Other tools also complain of the selfsigned certificate. So, what do I do with the certificate so that it is accepted by everybody? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 08/31/2014 11:08 AM, Carlos E. R. wrote:
Other tools also complain of the selfsigned certificate.
So, what do I do with the certificate so that it is accepted by everybody?
Get your certificate signed by a certificate authority such as Verisign. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-08-31 17:14, James Knott wrote:
On 08/31/2014 11:08 AM, Carlos E. R. wrote:
Other tools also complain of the selfsigned certificate.
So, what do I do with the certificate so that it is accepted by everybody?
Get your certificate signed by a certificate authority such as Verisign.
No. I want to become a certificate authority valid for my own network. How do I fool my own computer into believing that? Same as when I add a new certificate authority to Firefox, from them on it accepts any certificate signed by it. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 08/31/2014 11:22 AM, Carlos E. R. wrote:
No. I want to become a certificate authority valid for my own network. How do I fool my own computer into believing that?
Same as when I add a new certificate authority to Firefox, from them on it accepts any certificate signed by it.
My understanding is that it's only Alpine that's causing the problem. Your computer doesn't "accept" a certificate. Apps do. As I mentioned, with other apps, you just have to accept it once. So perhaps you should be asking the Alpine people why their app is broken. With signed certificates, they can be traced back to some signing authority, which the app recognizes. For example, Thunderbird comes with a list of authorities that can be trusted. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-08-31 17:26, James Knott wrote:
On 08/31/2014 11:22 AM, Carlos E. R. wrote:
My understanding is that it's only Alpine that's causing the problem. Your computer doesn't "accept" a certificate. Apps do. As I mentioned, with other apps, you just have to accept it once. So perhaps you should be asking the Alpine people why their app is broken.
Again, it is not broken. They provide a method to accept the certificate. And it is not only Alpine, there are others.
With signed certificates, they can be traced back to some signing authority, which the app recognizes. For example, Thunderbird comes with a list of authorities that can be trusted.
Authorities can be added to the *system* *store*. How? That's my question. I want to create one and add it. Simple as that. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 31/08/14 16:33, Carlos E. R. wrote:
Authorities can be added to the *system* *store*.
How?
That's my question. I want to create one and add it. Simple as that.
Have you tried any of these: http://lmgtfy.com/?q=create+your+own+certificate+authority+linux -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-08-31 18:21, Dylan wrote:
On 31/08/14 16:33, Carlos E. R. wrote:
Authorities can be added to the *system* *store*.
How?
That's my question. I want to create one and add it. Simple as that.
Have you tried any of these:
http://lmgtfy.com/?q=create+your+own+certificate+authority+linux
Nope. I thought that someone might know of how to do it, or a document for openSUSE. That google thing finds 51,300 results. Polishing to "create your own certificate authority opensuse" gets 21,300 results - and none of those I read mentions that there is a YaST module that creates your own local CA! Ok, so I create an authority. But now I don't know how to add or sign the dovecot certificate with it. Refining to "create your own certificate authority YaST" finds a book for 56€ that apparently explains this. I also find some openSUSE 10.2 documentation about it. http://www.mpipks-dresden.mpg.de/~mueller/docs/suse10.2/html/opensuse-manual... But now I need to create the dovecot certificate. The documentation only says: +++················· Click Add+Add Server Certificate and create a server certificate. Click Add+Add Client Certificate and create a client certificate. Do not forget to enter an e-mail address. Finish with Ok ·················++- which is saying nothing. I already know how to click on the mouse. :-/ -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
That google thing finds 51,300 results. Polishing to "create your own certificate authority opensuse" gets 21,300 results - and none of those I read mentions that there is a YaST module that creates your own local CA!
Ok, so I create an authority. But now I don't know how to add or sign the dovecot certificate with it.
Once you have established yourself as a CA, you then act like one. With your user hat on, you create a certificate and a signing request and send it to your CA, i.e. yourself. You put your CA hat on etcetera. It is a pretty well documented process, even if a bit cumbersome. I don't know to what extent any of this can be done with YaST, but none of it is specific to openSUSE. -- Per Jessen, Zürich (12.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-09-01 13:00, Per Jessen wrote:
Carlos E. R. wrote:
That google thing finds 51,300 results. Polishing to "create your own certificate authority opensuse" gets 21,300 results - and none of those I read mentions that there is a YaST module that creates your own local CA!
Ok, so I create an authority. But now I don't know how to add or sign the dovecot certificate with it.
Once you have established yourself as a CA, you then act like one. With your user hat on, you create a certificate and a signing request and send it to your CA, i.e. yourself.
I thought that might be so, but no idea how to do that :-?
You put your CA hat on etcetera.
I see that YaST has a tab labeled "requests". I can "import", "Add", "Request". I think that the request I create with the user hat I have to enter on the "Add" button, and signed on the "Request" button. Thanks, that puts me further :-) What I had done was create, in YaST, a server certificate, and I was looking at copying/exporting/whatever to be used by dovecot. What you say about "sending" the request looks better, but I don't know how to do that. I still need to learn what to do as "user". I guess I must create some file.
It is a pretty well documented process, even if a bit cumbersome.
Not very well documented - specially the yast part. The only one I found was on google books, on this link: http://books.google.es/books?id=-jzcJkXTLuUC&pg=PA403&lpg=PA403&dq=create+your+own+certificate+authority+YaST&source=bl&ots=vI3LgdSUwx&sig=ubXetOzb7logfIJuzHXwEOqY_s8&hl=en&sa=X&ei=c6wDVKXQKJPiaqfqgvgC&redir_esc=y#v=onepage&q=create%20your%20own%20certificate%20authority%20YaST&f=false There are some pages posted from "The Definitive Guide to SUSE Linux Enterprise Server" By Sander van Vugt, which does explain how to use YaST to do these things. It was there where I found some details on how to create a root certificate, and a server certificate. But the excerpt is not complete, there are missing pages, I suppose on purpose so that people buys the book - which at 56€ I'm not in a a position to do. The own openSUSE documentation does not explain things, it just about says "click create to create a certificate". Interesting...
I don't know to what extent any of this can be done with YaST, but none of it is specific to openSUSE.
It is not that simple to locate a good document on google. I have perused some docs I found from there, and none too clear. Maybe if someone gives me a suggestion for a string to search for "sending certificate for signing"... ;-) (that phrase locates entries on how to sign email) Searching for "ssl certificate signing" instead, on google suggestion, I located one entry: <http://www.sslshopper.com/what-is-a-csr-certificate-signing-request.html> Apparently it would be this: openssl req -new -keyout server.key -out server.csr to generate both a key and a CSR, which stands for "Certificate Signing Request". So it must be similar to that, as I already have the certificate made (a script on dovecot does it). Mmm... I could just modify the entry on the dovecot script to also create the request, and run the script again... $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2 Wait... The $CERTFILE above would be it? But it is called "$CERTDIR/dovecot.pem", not *.csr? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2014-09-01 13:00, Per Jessen wrote:
Carlos E. R. wrote:
That google thing finds 51,300 results. Polishing to "create your own certificate authority opensuse" gets 21,300 results - and none of those I read mentions that there is a YaST module that creates your own local CA!
Ok, so I create an authority. But now I don't know how to add or sign the dovecot certificate with it.
Once you have established yourself as a CA, you then act like one. With your user hat on, you create a certificate and a signing request and send it to your CA, i.e. yourself.
I thought that might be so, but no idea how to do that :-?
Create a root CA: in <myrootauthority> run CA.pl -newca - "CA.pl" is a script that comes with openssl. You will need to familiarise yourself with the whole thing and get a setup that works, it does take some time. To issue a new certificate: openssl req -new -x509 -nodes -keyout file.key -out file.crt openssl x509 -x509toreq -in file.crt -signkey file.key -out tmp.pem openssl ca -days 3652 -policy policy_anything -out file.pem -infiles tmp.pem
I still need to learn what to do as "user". I guess I must create some file.
It is a pretty well documented process, even if a bit cumbersome.
Not very well documented - specially the yast part.
Dunno about YaST, I have never used it in this context, but the openssl stuff is quite well documented. (if not, I would have never have managed either). -- Per Jessen, Zürich (12.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-09-01 16:59, Per Jessen wrote:
Carlos E. R. wrote:
Once you have established yourself as a CA, you then act like one. With your user hat on, you create a certificate and a signing request and send it to your CA, i.e. yourself.
I thought that might be so, but no idea how to do that :-?
Create a root CA:
No, no. That part is already done, from YaST. What I need now is to create a "Certificate Signing Request" from the already existing dovecot server certificate, or create a new dovecot certificate together with the corresponding CSR. That's is, the user hat part. I'm looking into that now. YaST does a lot of things with these certificates, but this is NOT documented. I have found the documentation in paper for SLES, though. Expensive paper. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2014-09-01 16:59, Per Jessen wrote:
Carlos E. R. wrote:
Once you have established yourself as a CA, you then act like one. With your user hat on, you create a certificate and a signing request and send it to your CA, i.e. yourself.
I thought that might be so, but no idea how to do that :-?
Create a root CA:
No, no. That part is already done, from YaST.
Aha.
What I need now is to create a "Certificate Signing Request" from the already existing dovecot server certificate, or create a new dovecot certificate together with the corresponding CSR.
I go thru that everytime I install a new HP server. The certificate is issued by a card on the server (ILO card). I then sign it: openssl ca -policy policy_anything -days 3650 -in server-ilo.csr -out server-ilo.crt and install the newly signed certificate on the card. (web interface).
YaST does a lot of things with these certificates, but this is NOT documented.
I know you're keen on working it with YaST, but personally I wouldn't bother. It's an area that is unlikely (IMHO) to have received much if any testing.
I have found the documentation in paper for SLES, though. Expensive paper.
Huh? You probably don't need to buy SLES just to use the documentation :-) -- Per Jessen, Zürich (12.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-09-01 19:38, Per Jessen wrote:
Carlos E. R. wrote:
What I need now is to create a "Certificate Signing Request" from the already existing dovecot server certificate, or create a new dovecot certificate together with the corresponding CSR.
I go thru that everytime I install a new HP server. The certificate is issued by a card on the server (ILO card). I then sign it:
openssl ca -policy policy_anything -days 3650 -in server-ilo.csr -out server-ilo.crt
Not that. Apparently I have to do something like this: openssl req -new -keyout server.key -out server.csr But that creates the key anew. I would have to find a concoction that given the existing server.key generates the server.csr. I need to produce the server.csr. I don't have it. What I have is /etc/ssl/dovecot.pem and /etc/ssl/private/dovecot.pem. Alternatively I run again the /usr/share/doc/packages/dovecot/mkcert.sh script changing it appropriately so that it also generates a dovecot.csr file. The current code is this: $OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG \ -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
YaST does a lot of things with these certificates, but this is NOT documented.
I know you're keen on working it with YaST, but personally I wouldn't bother. It's an area that is unlikely (IMHO) to have received much if any testing.
I think it is used on the SLES side.
I have found the documentation in paper for SLES, though. Expensive paper.
Huh? You probably don't need to buy SLES just to use the documentation :-)
No, I mean that it is documented on paper by third parties... not that you have to buy SLES to run it. The code is apparently the same on openSUSE, just that this YaST functionality is not explained on the available free documentation, perhaps on purpose. You can see some pages of it in the link I posted, the book is good. Some pages are missing, intentionally. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Carlos E. R. wrote:
On 2014-09-01 19:38, Per Jessen wrote:
Carlos E. R. wrote:
What I need now is to create a "Certificate Signing Request" from the already existing dovecot server certificate, or create a new dovecot certificate together with the corresponding CSR.
I go thru that everytime I install a new HP server. The certificate is issued by a card on the server (ILO card). I then sign it:
openssl ca -policy policy_anything -days 3650 -in server-ilo.csr -out server-ilo.crt
Not that.
Apparently I have to do something like this:
openssl req -new -keyout server.key -out server.csr
But that creates the key anew. I would have to find a concoction that given the existing server.key generates the server.csr. I need to produce the server.csr. I don't have it. What I have is /etc/ssl/dovecot.pem and /etc/ssl/private/dovecot.pem.
I don't see the problem in re-issuing the certificate/key? Anyway, I'm definitely not an expert. Maybe try this: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x195.html See "2.5.3. Renew a certificate".
I have found the documentation in paper for SLES, though. Expensive paper.
Huh? You probably don't need to buy SLES just to use the documentation :-)
No, I mean that it is documented on paper by third parties... not that you have to buy SLES to run it. The code is apparently the same on openSUSE, just that this YaST functionality is not explained on the available free documentation, perhaps on purpose.
You can see some pages of it in the link I posted, the book is good. Some pages are missing, intentionally.
Aha, I thought it was some of the SUSE documentation (which I think is all freely downloadable). -- Per Jessen, Zürich (12.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/01/2014 01:05 PM, Carlos E. R. wrote:
On 2014-09-01 19:38, Per Jessen wrote:
Carlos E. R. wrote:
What I need now is to create a "Certificate Signing Request" from the already existing dovecot server certificate, or create a new dovecot certificate together with the corresponding CSR.
I go thru that everytime I install a new HP server. The certificate is issued by a card on the server (ILO card). I then sign it:
openssl ca -policy policy_anything -days 3650 -in server-ilo.csr -out server-ilo.crt
Not that.
Apparently I have to do something like this:
openssl req -new -keyout server.key -out server.csr
But that creates the key anew. I would have to find a concoction that given the existing server.key generates the server.csr. I need to produce the server.csr. I don't have it. What I have is /etc/ssl/dovecot.pem and /etc/ssl/private/dovecot.pem.
Alternatively I run again the /usr/share/doc/packages/dovecot/mkcert.sh script changing it appropriately so that it also generates a dovecot.csr file. The current code is this:
$OPENSSL req -new -x509 -nodes -config $OPENSSLCONFIG \ -out $CERTFILE -keyout $KEYFILE -days 365 || exit 2 chmod 0600 $KEYFILE echo $OPENSSL x509 -subject -fingerprint -noout -in $CERTFILE || exit 2
Carlos, I automated this process such that all keys, signing reqs, and cert files are generated (it also used to set the a2en flag for opensuse http/ssl. It has been adapted several times, and don't forget to change the config information in the middle of the script. (or your certs will be issued by me :). Give it a look and a run. It's all you need to configure yourself with self-signed certs: http://www.3111skyline.com/dl/dev/scr/arch/apache-ssl-Arch Read through it first. Confirm the paths you want, etc. At one point during csr creation you provide a temp password. It can be anything like tmp, it doesn't matter, that is removed later in the script (so you are not prompted on each httpd start. Once you add the config info of your own, then it is as simple as ./apachessl www.yourcn.com and all will be done :) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Aug 31, 2014 at 9:53 AM, Carlos E. R. <carlos.e.r@opensuse.org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
When connecting to my own dovecot server, Alpine complains that it is using self-signed certificates. Yes, I know about the /novalidate-cert/ option in Alpine, but I have to type it on every single folder used anywhere: config, rules, etc. And I forget some.
I wonder if I could configure somewhere that my self-signed certificate is correct, signed by me, that I'm a valid authority to sign certificates inside my network.
My certificate is here:
Telcontar:~ # mc /etc/ssl/certs/
Telcontar:/etc/ssl/certs # l | grep dove lrwxrwxrwx 1 root root 11 Jun 17 00:37 895d2550.0 -> dovecot.pem lrwxrwxrwx 1 root root 11 Jun 17 00:37 906230b5.0 -> dovecot.pem - -rw-r--r-- 1 root root 1058 Jun 15 2013 dovecot.pem
and here:
Telcontar:/etc/ssl/private # l total 12 drwx------ 2 root root 4096 Aug 13 19:33 ./ drwxr-xr-x 6 root root 4096 Aug 13 19:33 ../ - -rw------- 1 root root 916 Jun 15 2013 dovecot.pem Telcontar:/etc/ssl/private #
Do I need something else?
/etc/ssl/certs is depreciated and your CA certs should be placed into /etc/pki/trust/anchors, this may be why Alpine doesn't recognize the certificate. After placing the cert in /etc/pki/trust/anchors run "sudo update-ca-certificates" to update the certificate stores and rebuild the hashes. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (7)
-
Carlos E. R. -
Carlos E. R. -
Darin Perusich -
David C. Rankin -
Dylan -
James Knott -
Per Jessen