Expired certificates issue
hede
kolab983 at der-he.de
Tue Jan 7 09:38:18 CET 2020
Am 04.01.2020 23:31, schrieb Hernan Saltiel:
> [...]
> I'm using Kolab 16, and some time ago some certificate expired, so
> when our Outlook users open their mail client, a message stating that
> the certificate has expired appears.
> I was re-reading the installation process, and I'm really confused
> about which certificate do I need to recreate, and how.
> Please, if somebody had an issue like this one, let me know how to
> deal with it. [...]
If it's Outlook it's either imap, smtp or http (activesync) or any
combination of those.
At first you have to consider either to use a self signed certificate or
a regular CA certificate. The first one will always trigger warnings and
as such the later one is quite common. Here you can either buy a
certificate (from your next SSL certificate dealer) or simply use Let's
Encrypt, which is free of charge. There are plenty of guidances how to
create self signed or Let's Encrypt certificates, use your favorite
search engine to find those:
- https://duckduckgo.com/?q=openssl+create+certificate&t=h_&ia=web
- https://duckduckgo.com/?q=let%27s+encrypt+getting+started&t=h_&ia=web
Then, if the certificate is installed and ready to use at your server,
change the corresponding config files to point to your new SSL
certificates and keys. Let's say you have the following files:
1. Key: /etc/certbot/privkey.pem
2. Cert: /etc/certbot/cert.pem
3. Cert+Intermediates: /etc/certbot/fullchain.pem
4. Cert+Intermediates+Key: /etc/certbot/fullchainandkey.pem
(The last one is uncommon with certbot defaults and not needed by
default, but it's simply created by "cat"ing 1. and 3.; the default path
for cerbot includes the domain which is unknown to me and as such I have
not included it in the examples here. You have to change your pathes
accordingly.)
Then you have to edit the following files and values:
/etc/postfix/main.cf
####
smtpd_tls_cert_file=/etc/certbot/fullchain.pem
smtpd_tls_key_file=/etc/certbot/privkey.pem
submission_tls_cert_file = /etc/certbot/fullchain.pem
submission_tls_key_file = /etc/certbot/privkey.pem
smtp_tls_cert_file = /etc/certbot/fullchain.pem
smtp_tls_key_file = /etc/certbot/privkey.pem
####
/etc/imap.conf (needed esp. if guam is not used)
####
tls_server_cert: /etc/certbot/fullchain.pem
tls_server_key: /etc/certbot/privkey.pem
####
/etc/apache2/sites-enabled/default-ssl.conf (or any other apache ssl
config)
####
SSLCertificateFile /etc/certbot/fullchain.pem
SSLCertificateKeyFile /etc/certbot/privkey.pem
####
/etc/guam/sys.config
you must edit the file at two places: sections imaps (port 993,
implicit_tls) and imap (port 143, starttls)
####
[...]
tls_config, [
{ keyfile, "/etc/certbot/privkey.pem" },
{ certfile, "/etc/certbot/cert.pem" },
{ cacertfile, "/etc/certbot/fullchain.pem" },
[...]
]
[...]
####
If you have installed ejabberd:
/etc/ejabberd/ejabberd.yml
####
certfiles:
- "/etc/certbot/fullchainandkey.pem"
####
Have I forgotten something?
regards
hede
More information about the users
mailing list