Expired certificates issue

Hernan Saltiel hsaltiel at gmail.com
Tue Jan 7 12:32:12 CET 2020 

Hi Hede!

On Tue, Jan 7, 2020 at 5:38 AM hede <kolab983 at der-he.de> wrote:

> Am 04.01.2020 23:31, schrieb Hernan Saltiel:
> > [...]
> >     I'm using Kolab 16, and some time ago some certificate expired, so
> > when our Outlook users open their mail client, a message stating that
> > the certificate has expired appears.
> >     I was re-reading the installation process, and I'm really confused
> > about which certificate do I need to recreate, and how.
> >     Please, if somebody had an issue like this one, let me know how to
> > deal with it. [...]
>
> If it's Outlook it's either imap, smtp or http (activesync) or any
> combination of those.
>
> At first you have to consider either to use a self signed certificate or
> a regular CA certificate. The first one will always trigger warnings and
> as such the later one is quite common. Here you can either buy a
> certificate (from your next SSL certificate dealer) or simply use Let's
> Encrypt, which is free of charge. There are plenty of guidances how to
> create self signed or Let's Encrypt certificates, use your favorite
> search engine to find those:
>
> - https://duckduckgo.com/?q=openssl+create+certificate&t=h_&ia=web
> - https://duckduckgo.com/?q=let%27s+encrypt+getting+started&t=h_&ia=web
>
> Then, if the certificate is installed and ready to use at your server,
> change the corresponding config files to point to your new SSL
> certificates and keys. Let's say you have the following files:
>
> 1. Key:  /etc/certbot/privkey.pem
> 2. Cert: /etc/certbot/cert.pem
> 3. Cert+Intermediates: /etc/certbot/fullchain.pem
> 4. Cert+Intermediates+Key: /etc/certbot/fullchainandkey.pem
>

I do not have the certbot directory, what I have is a self signed
certificate, that expired. The Outlook window do not state that the
certificate is invalid because it's self signed, but because has expired.

>
> (The last one is uncommon with certbot defaults and not needed by
> default, but it's simply created by "cat"ing 1. and 3.; the default path
> for cerbot includes the domain which is unknown to me and as such I have
> not included it in the examples here. You have to change your pathes
> accordingly.)
>
> Then you have to edit the following files and values:
>
> /etc/postfix/main.cf
> ####
> smtpd_tls_cert_file=/etc/certbot/fullchain.pem
> smtpd_tls_key_file=/etc/certbot/privkey.pem
> submission_tls_cert_file = /etc/certbot/fullchain.pem
> submission_tls_key_file = /etc/certbot/privkey.pem
> smtp_tls_cert_file = /etc/certbot/fullchain.pem
> smtp_tls_key_file = /etc/certbot/privkey.pem
> ####
>
> /etc/imap.conf (needed esp. if guam is not used)
> ####
> tls_server_cert: /etc/certbot/fullchain.pem
> tls_server_key: /etc/certbot/privkey.pem
> ####
>
> /etc/apache2/sites-enabled/default-ssl.conf (or any other apache ssl
> config)
> ####
> SSLCertificateFile    /etc/certbot/fullchain.pem
> SSLCertificateKeyFile /etc/certbot/privkey.pem
> ####
>

All this was previously configured, when initially installed the server,
with the certs I created.

>
> /etc/guam/sys.config
> you must edit the file at two places: sections imaps (port 993,
> implicit_tls) and imap (port 143, starttls)
> ####
> [...]
> tls_config, [
>      { keyfile, "/etc/certbot/privkey.pem" },
>      { certfile, "/etc/certbot/cert.pem" },
>      { cacertfile, "/etc/certbot/fullchain.pem" },
>      [...]
>      ]
> [...]
> ####
>
> If you have installed ejabberd:
> /etc/ejabberd/ejabberd.yml
> ####
> certfiles:
>   - "/etc/certbot/fullchainandkey.pem"
> ####
>
> Have I forgotten something?
>

Thanks a lot for all this explanation, what I need is to understand the
procedure to renew the certificates, not only to initially install the
server certificates, because it's already installed, and was working
properly until some time ago, that the certificate expired, and started to
give me that kind of messages on the Outlook clients.

>
> regards
> hede
>

Thanks, and best regards,


-- 
HeCSa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20200107/6de20886/attachment.html>

More information about the users mailing list