where is Virtualmin's root certificate that it uses to issue other certificates?

7 posts / 0 new
Last post
#1 Sat, 07/04/2009 - 03:04
christefano

where is Virtualmin's root certificate that it uses to issue other certificates?

When Virtualmin issues certificates for mail domains under its control, where is the root certificate that Virtualmin uses to create those certificates?

I'm wondering because the Palm Pre's email program doesn't currently connect at all to mail servers that use self-signed certificates. I've read that the email problems go away after importing the root certificate (as opposed to the individual domain certificates) in the Pre's certificate manager, but I'm not sure what to look for. I tried the one in /etc/ssl/certs/dovecot.pem but that didn't work.

Thanks!

Sat, 07/04/2009 - 11:37
andreychek

Hmm, it sounds like you're referring to the certificates being used by Postfix/saslauthd/dovecot -- which may or may not be the same certificate :-)

You can find what certificate each of those is using with:

  1. For Postfix/saslauthd, type:

    grep 'smtpd_tls_.*_file' /etc/postfix/main.cf

  2. For Dovecot, type:

    grep 'ssl.*_file' /etc/dovecot/dovecot.conf

The above will show you the path to the certificates being used.

-Eric

Sun, 07/05/2009 - 02:58 (Reply to #2)
christefano

What I get is:

# grep 'smtpd_tls_.*_file' /etc/postfix/main.cf

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

# grep 'ssl.*_file' /etc/dovecot/dovecot.conf

#ssl_cert_file = /etc/ssl/certs/dovecot.pem
#ssl_key_file = /etc/ssl/private/dovecot.pem
#ssl_ca_file =

I imported the ssl-cert-snakeoil.pem and dovecot.pem certificates to the Pre and its email program still gives the same error, "Unable to validate account settings. Please check the settings and try again" (I know that this error is specific to the Pre and not Virtualmin but I'm including it here so that other people can find it).

Interestingly, when examining the certificate on the Pre it says that the common name is my hostname at Linode (e.g. lixx-xx.members.linode.com) and not my actual domain name. Is it possible that this is the cause of the problem? How do I update my certificates so that the common names are the same as my domain names?

(I know that the Pre can see the server because when I disable TLS in the email account settings on the Pre it displays the expected error from my mail server about plaintext authentication not being allowed.)

Sun, 07/05/2009 - 08:46 (Reply to #3)
andreychek

Well, it depends on what specifically your Pre is complaining about, it's not being overly specific here... however, one possibility is that the issue is related to the hostname on the SSL cert not matching the hostname you're connecting to.

So, if lixx-xx.members.linode.com is on the cert, make sure that's the name you're using to connect to the IMAP/SMTP server with.

Also, not that I'm recommending this, but it is possible to enable plaintext authentication if you had wanted to (by "setting disable_plaintext_auth = no" in the dovecot.conf file).

-Eric

Sun, 07/05/2009 - 16:45 (Reply to #4)
christefano

Unfortunately, the hostname theory didn't pan out. I changed the email account's mail server address on the Pre to lixx-xx-members.linode.com and it still gave the same unhelpful error.

I also exported what I think is my root certificate from the "Authorities" tab in Thunderbird (Preferences -> Advanced -> Certificates -> "Authorities") and imported that to the Pre but got the same error.

I've read in several places that the free certificates from StartSSL and CAcert are recognized by the Pre while self-signed certificates aren't. I'll try going about replacing the original certificates in Virtualmin with those issued by one of those authorities. Is there documentation anywhere for doing this?

Tue, 07/07/2009 - 10:43
andreychek

I'll try going about replacing the original certificates in Virtualmin with those issued by one of those authorities. Is there documentation anywhere for doing this?

Well, it's fairly straight forward. For the most part ;-)

You can use this guide for generating an SSL cert:

http://www.virtualmin.com/documentation/tutorial/how-to-add-an-ssl-certi...

If you're comfortable on the command line, all you need to do is update the paths you see in the postfix and dovecot config files to point to the cert/key you create in the above guide.

There's some info regarding how to do that within Virtualmin scattered throughout the forums, I'd love to get that info the actual documentation here soon :-)

-Eric

Fri, 07/24/2009 - 09:39
webwzrd

The WebOS 1.1 update is just out and one of the improvements is:

Support for self-signed certificates with multiple common names has been added.