Expired certificates issue

hede kolab983 at der-he.de
Tue Jan 7 09:38:18 CET 2020 

Am 04.01.2020 23:31, schrieb Hernan Saltiel:
> [...]
>     I'm using Kolab 16, and some time ago some certificate expired, so
> when our Outlook users open their mail client, a message stating that
> the certificate has expired appears.
>     I was re-reading the installation process, and I'm really confused
> about which certificate do I need to recreate, and how.
>     Please, if somebody had an issue like this one, let me know how to
> deal with it. [...]

If it's Outlook it's either imap, smtp or http (activesync) or any 
combination of those.

At first you have to consider either to use a self signed certificate or 
a regular CA certificate. The first one will always trigger warnings and 
as such the later one is quite common. Here you can either buy a 
certificate (from your next SSL certificate dealer) or simply use Let's 
Encrypt, which is free of charge. There are plenty of guidances how to 
create self signed or Let's Encrypt certificates, use your favorite 
search engine to find those:

- https://duckduckgo.com/?q=openssl+create+certificate&t=h_&ia=web
- https://duckduckgo.com/?q=let%27s+encrypt+getting+started&t=h_&ia=web

Then, if the certificate is installed and ready to use at your server, 
change the corresponding config files to point to your new SSL 
certificates and keys. Let's say you have the following files:

1. Key:  /etc/certbot/privkey.pem
2. Cert: /etc/certbot/cert.pem
3. Cert+Intermediates: /etc/certbot/fullchain.pem
4. Cert+Intermediates+Key: /etc/certbot/fullchainandkey.pem

(The last one is uncommon with certbot defaults and not needed by 
default, but it's simply created by "cat"ing 1. and 3.; the default path 
for cerbot includes the domain which is unknown to me and as such I have 
not included it in the examples here. You have to change your pathes 
accordingly.)

Then you have to edit the following files and values:

/etc/postfix/main.cf
####
smtpd_tls_cert_file=/etc/certbot/fullchain.pem
smtpd_tls_key_file=/etc/certbot/privkey.pem
submission_tls_cert_file = /etc/certbot/fullchain.pem
submission_tls_key_file = /etc/certbot/privkey.pem
smtp_tls_cert_file = /etc/certbot/fullchain.pem
smtp_tls_key_file = /etc/certbot/privkey.pem
####

/etc/imap.conf (needed esp. if guam is not used)
####
tls_server_cert: /etc/certbot/fullchain.pem
tls_server_key: /etc/certbot/privkey.pem
####

/etc/apache2/sites-enabled/default-ssl.conf (or any other apache ssl 
config)
####
SSLCertificateFile    /etc/certbot/fullchain.pem
SSLCertificateKeyFile /etc/certbot/privkey.pem
####

/etc/guam/sys.config
you must edit the file at two places: sections imaps (port 993, 
implicit_tls) and imap (port 143, starttls)
####
[...]
tls_config, [
     { keyfile, "/etc/certbot/privkey.pem" },
     { certfile, "/etc/certbot/cert.pem" },
     { cacertfile, "/etc/certbot/fullchain.pem" },
     [...]
     ]
[...]
####

If you have installed ejabberd:
/etc/ejabberd/ejabberd.yml
####
certfiles:
  - "/etc/certbot/fullchainandkey.pem"
####

Have I forgotten something?

regards
hede

More information about the users mailing list