Can't login to roundcube after upgrading from Kolab 3.3 to 3.4: problem with ssl cert?

Shaw, Brian bshaw at vsvinc.com
Thu Aug 6 22:36:54 CEST 2015 

On 2015-08-06 12:00 pm, Thomas Luft wrote:
> Hi everyone,
> 
> after I upgraded to Kolab 3.4 I can't use roundcube any more. I can
> access the IMAP server with Thunderbird, but ActiveSync, iRony and
> Roundcube are not working at all.
> 
> This is my roundcube config.inc.php:
> 
> <?php
>     $config = array();
> 
>     $config['db_dsnw'] = 
> 'mysqli://roundcube:password@localhost/roundcube';
> 
>     $config['session_domain'] = '';
>     $config['des_key'] = "DES KEY";
>     $config['username_domain'] = 'servername.com';
>     $config['use_secure_urls'] = true;
>     $config['assets_path'] = 'assets/';
> 
>     $config['mail_domain'] = '';
> 
>     // IMAP Server Settings
>     $config['default_host'] = 'ssl://localhost';
>     $config['default_port'] = 993;
>     $config['imap_delimiter'] = '/';
>     $config['imap_force_lsub'] = true;
> 
>     // Caching and storage settings
>     $config['imap_cache'] = 'db';
>     $config['imap_cache_ttl'] = '10d';
>     $config['messages_cache'] = 'db';
>     $config['message_cache_ttl'] = '10d';
>     $config['session_storage'] = 'db';
> 
>     // SMTP Server Settings
>     $config['smtp_server'] = 'tls://localhost';
>     $config['smtp_port'] = 587;
>     $config['smtp_user'] = '%u';
>     $config['smtp_pass'] = '%p';
>     $config['smtp_helo_host'] = $_SERVER["HTTP_HOST"];
> 
>     // LDAP Settings
>     $config['ldap_cache'] = 'db';
>     $config['ldap_cache_ttl'] = '1h';
> 
>     // Kolab specific defaults
>     $config['product_name'] = 'Kolab Groupware';
>     // Disabled with Kolab 3.4
>     // $config['skin_logo'] = 'skins/kolab/images/kolab_logo.png';
>     $config['quota_zero_as_unlimited'] = false;
>     $config['login_lc'] = 2;
>     $config['auto_create_user'] = true;
>     $config['enable_installer'] = false;
>     // The SMTP server does not allow empty identities
>     $config['mdn_use_from'] = true;
>     [...]
> ?>
> 
> I tested the SSL connection with openssl:
> 
> openssl s_client -showcerts -connect localhost:143 -starttls imap
> 
> CONNECTED(00000003)
> depth=0 CN = kolab.servername.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = kolab.servername.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 CN = kolab.servername.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=kolab.servername.com
>    i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
> -----BEGIN CERTIFICATE-----
> [...]
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/CN=kolab.servername.com
> issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3233 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
> Server public key is 4096 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
>     Session-ID:
> B7A3F93440DB3A0BACB4D1B9507C7C0E59950CCF943E9FAF12BB2B0FA4EF748D
>     Session-ID-ctx:
>     Master-Key:
> 9F28EE692FD84A24BDF77B5BB92A199DA503754F800F5140E1AE15FC29F2C66B37B4999E70047CD08914193C6E7AB33B
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 86400 (seconds)
>     TLS session ticket:
>     [...]
>     Start Time: 1438876127
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> . OK Completed
> 
> . login user pass
> . OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA
> MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ
> SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES
> ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS
> LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE
> CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=PLAIN
> AUTH=LOGIN COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
> X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] User logged in
> SESSIONID=<kolab.servername.com-804-1438876127-1-13038804112258725496>
> 
> The certificate is from cacert.org but the key chain is missing. How do
> I fix this?
> 
> Kind regards
> 
> Thomas
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users

Thomas,
   Often, a certificate provider's top level certificate is what is 
included in the trust bundle that is distributed with every OS.  
Unfortunately, this is not not what they use to sign your certificate 
and so, the chain is immediately broken.
   What you need to do is download the intermediate certificate(s) from 
cacert.org and append then to your certificate to make a new bundle.  
This new bundle is what you tell your web browser and other apps about.
   IIRC, the command is something like:

     cat <your certificate>.pem <ca bundle>.pem > <new certificate 
bundle>.pem

Brian

More information about the users mailing list