Can't login to roundcube after upgrading from Kolab 3.3 to 3.4: problem with ssl cert?

Thomas Spuhler thomas.spuhler at btspuhler.com
Thu Aug 6 18:04:08 CEST 2015 

On Thursday, August 06, 2015 06:00:52 PM Thomas Luft wrote:
> Hi everyone,
> 
> after I upgraded to Kolab 3.4 I can't use roundcube any more. I can
> access the IMAP server with Thunderbird, but ActiveSync, iRony and
> Roundcube are not working at all.
> 
> This is my roundcube config.inc.php:
> 
> <?php
>     $config = array();
> 
>     $config['db_dsnw'] = 'mysqli://roundcube:password@localhost/roundcube';
> 
>     $config['session_domain'] = '';
>     $config['des_key'] = "DES KEY";
>     $config['username_domain'] = 'servername.com';
>     $config['use_secure_urls'] = true;
>     $config['assets_path'] = 'assets/';
> 
>     $config['mail_domain'] = '';
> 
>     // IMAP Server Settings
>     $config['default_host'] = 'ssl://localhost';
>     $config['default_port'] = 993;
>     $config['imap_delimiter'] = '/';
>     $config['imap_force_lsub'] = true;
> 
>     // Caching and storage settings
>     $config['imap_cache'] = 'db';
>     $config['imap_cache_ttl'] = '10d';
>     $config['messages_cache'] = 'db';
>     $config['message_cache_ttl'] = '10d';
>     $config['session_storage'] = 'db';
> 
>     // SMTP Server Settings
>     $config['smtp_server'] = 'tls://localhost';
>     $config['smtp_port'] = 587;
>     $config['smtp_user'] = '%u';
>     $config['smtp_pass'] = '%p';
>     $config['smtp_helo_host'] = $_SERVER["HTTP_HOST"];
> 
>     // LDAP Settings
>     $config['ldap_cache'] = 'db';
>     $config['ldap_cache_ttl'] = '1h';
> 
>     // Kolab specific defaults
>     $config['product_name'] = 'Kolab Groupware';
>     // Disabled with Kolab 3.4
>     // $config['skin_logo'] = 'skins/kolab/images/kolab_logo.png';
>     $config['quota_zero_as_unlimited'] = false;
>     $config['login_lc'] = 2;
>     $config['auto_create_user'] = true;
>     $config['enable_installer'] = false;
>     // The SMTP server does not allow empty identities
>     $config['mdn_use_from'] = true;
>     [...]
> ?>
> 
> I tested the SSL connection with openssl:
> 
> openssl s_client -showcerts -connect localhost:143 -starttls imap
> 
> CONNECTED(00000003)
> depth=0 CN = kolab.servername.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = kolab.servername.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 CN = kolab.servername.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=kolab.servername.com
>    i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/CN=kolab.servername.com
> issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3233 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID:
> B7A3F93440DB3A0BACB4D1B9507C7C0E59950CCF943E9FAF12BB2B0FA4EF748D
>     Session-ID-ctx:
>     Master-Key:
> 9F28EE692FD84A24BDF77B5BB92A199DA503754F800F5140E1AE15FC29F2C66B37B4999E7004
> 7CD08914193C6E7AB33B Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 86400 (seconds)
>     TLS session ticket:
>     [...]
>     Start Time: 1438876127
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> . OK Completed
> 
> . login user pass
> . OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA
> MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ
> SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS
> LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE
> CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=PLAIN
> AUTH=LOGIN COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
> X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] User logged in
> SESSIONID=<kolab.servername.com-804-1438876127-1-13038804112258725496>
> 
> The certificate is from cacert.org but the key chain is missing. How do
> I fix this?
> 
> Kind regards
> 
> Thomas
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users

Did you upgrade php as well? 5.6 may has a problem finding the certs?

-- 
Best regards
Thomas Spuhler

All of my e-mails have a valid digital signature
ID 60114E63
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.kolab.org/pipermail/users/attachments/20150806/b4f89177/attachment.sig>

More information about the users mailing list