Can't login to roundcube after upgrading from Kolab 3.3 to 3.4: problem with ssl cert?

Thomas Luft thomas at die-lufts.org
Thu Aug 6 18:00:52 CEST 2015


Hi everyone,

after I upgraded to Kolab 3.4 I can't use roundcube any more. I can
access the IMAP server with Thunderbird, but ActiveSync, iRony and
Roundcube are not working at all.

This is my roundcube config.inc.php:

<?php
    $config = array();

    $config['db_dsnw'] = 'mysqli://roundcube:password@localhost/roundcube';

    $config['session_domain'] = '';
    $config['des_key'] = "DES KEY";
    $config['username_domain'] = 'servername.com';
    $config['use_secure_urls'] = true;
    $config['assets_path'] = 'assets/';

    $config['mail_domain'] = '';

    // IMAP Server Settings
    $config['default_host'] = 'ssl://localhost';
    $config['default_port'] = 993;
    $config['imap_delimiter'] = '/';
    $config['imap_force_lsub'] = true;

    // Caching and storage settings
    $config['imap_cache'] = 'db';
    $config['imap_cache_ttl'] = '10d';
    $config['messages_cache'] = 'db';
    $config['message_cache_ttl'] = '10d';
    $config['session_storage'] = 'db';

    // SMTP Server Settings
    $config['smtp_server'] = 'tls://localhost';
    $config['smtp_port'] = 587;
    $config['smtp_user'] = '%u';
    $config['smtp_pass'] = '%p';
    $config['smtp_helo_host'] = $_SERVER["HTTP_HOST"];

    // LDAP Settings
    $config['ldap_cache'] = 'db';
    $config['ldap_cache_ttl'] = '1h';

    // Kolab specific defaults
    $config['product_name'] = 'Kolab Groupware';
    // Disabled with Kolab 3.4
    // $config['skin_logo'] = 'skins/kolab/images/kolab_logo.png';
    $config['quota_zero_as_unlimited'] = false;
    $config['login_lc'] = 2;
    $config['auto_create_user'] = true;
    $config['enable_installer'] = false;
    // The SMTP server does not allow empty identities
    $config['mdn_use_from'] = true;
    [...]
?>

I tested the SSL connection with openssl:

openssl s_client -showcerts -connect localhost:143 -starttls imap

CONNECTED(00000003)
depth=0 CN = kolab.servername.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = kolab.servername.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = kolab.servername.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=kolab.servername.com
   i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=kolab.servername.com
issuer=/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
---
No client certificate CA names sent
---
SSL handshake has read 3233 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
B7A3F93440DB3A0BACB4D1B9507C7C0E59950CCF943E9FAF12BB2B0FA4EF748D
    Session-ID-ctx:
    Master-Key:
9F28EE692FD84A24BDF77B5BB92A199DA503754F800F5140E1AE15FC29F2C66B37B4999E70047CD08914193C6E7AB33B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 86400 (seconds)
    TLS session ticket:
    [...]
    Start Time: 1438876127
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
. OK Completed

. login user pass
. OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=kxten QUOTA
MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=MODSEQ
SORT=DISPLAY SORT=UID THREAD=ORDEREDSUBJECT THREAD=REFERENCES
ANNOTATEMORE ANNOTATE-EXPERIMENT-1 METADATA LIST-EXTENDED LIST-STATUS
LIST-MYRIGHTS WITHIN QRESYNC SCAN XLIST XMOVE MOVE SPECIAL-USE
CREATE-SPECIAL-USE URLAUTH URLAUTH=BINARY LOGINDISABLED AUTH=PLAIN
AUTH=LOGIN COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE
X-QUOTA=X-ANNOTATION-STORAGE X-QUOTA=X-NUM-FOLDERS IDLE] User logged in
SESSIONID=<kolab.servername.com-804-1438876127-1-13038804112258725496>

The certificate is from cacert.org but the key chain is missing. How do
I fix this?

Kind regards

Thomas


More information about the users mailing list