1

Topic: [SOLVED] Certificate SSL

==== Provide basic information to help troubleshoot ====
- iRedMail version: 0.7.3
- Linux/BSD distribution name and version: FreeBsd 8.2
- Any related log? Log is helpful for troubleshooting.
====

Good afternoon! My name is Fernando and I'm from Brazil, forgive me for mistakes that might happen.
I iRedMail installing 0.7.3 on FreeBSD 8.2 and right after installation and some testing changed the hostname of the server:
Before: servidor.dominio.com.br
After: mail.dominio.com.br

The problem is that when I enter the site https: / / www.dominio.com.br says the certificate is not valid. And when I open the link for more information on the certificate, it says the certificate is for: servidor.dominio.com.br.

How can I solve this problem by creating a new certificate? Well, I intend to use the hostname mail.dominio.com.br!

We thank the attention.
Stay with God!

2

Re: [SOLVED] Certificate SSL

Mguft wrote:

How can I solve this problem by creating a new certificate? Well, I intend to use the hostname mail.dominio.com.br!

You have to create a new certification key.

iRedMail-0.7.3 ships a shell script used to create new SSL keys: iRedMail-0.7.3/tools/generate_ssl_keys.sh.
Please open it and you will know how to create new keys.

It will create two new files under CURRENT directory:
- certs/iRedMail_CA.pem: Used to replace /etc/ssl/certs/iRedMail_CA.pem
- private/iRedMail.key: Used to replace /etc/ssl/private/iRedMail.key

You can simply grant read access to all users:

# chmod +r /etc/ssl/certs/iRedMail_CA.pem
# chmod +r /etc/ssl/private/iRedMail.key

If you need more restrict file permission, please use command "setfacl" and  "getfacl".

After replacing and setting correct file permission, please restart all services which provides SSL secure connection. e.g. http, dovecot, postfix, etc. A system reboot should be easier if possible.

3

Re: [SOLVED] Certificate SSL

UPDATE:

I updated comment in tools/generate_ssl_keys.sh moment ago, it should be clear enough now:
https://bitbucket.org/zhb/iredmail/chan … 59c9f07001

# USAGE:
# 1) Edit variables which starts with TLS_ below, then save file.
# 2) Execute shell command:
#
#       # bash generate_ssl_keys.sh
#
#    It will create two new files under CURRENT directory:
#
#       - certs/iRedMail_CA.pem: Used to replace file on iRedMail server:
#           + on RHEL/CentOS/Scientific Linux: /etc/pki/tls/certs/iRedMail_CA.pem
#           + on Debian/Ubuntu/openSUSE: /etc/ssl/certs/iRedMail_CA.pem
#           + on FreeBSD: /etc/ssl/certs/iRedMail_CA.pem
#       - private/iRedMail.key: Used to replace file on iRedMail server:
#           + on RHEL/CentOS/Scientific Linux: /etc/pki/tls/private/iRedMail.key
#           + on Debian/Ubuntu/openSUSE: /etc/ssl/private/iRedMail.key
#           + on FreeBSD: /etc/ssl/private/iRedMail.key
#
# 3) Grant read access to all users. e.g. on RHEL/CentOS/Scientific Linux:
#
#   # chmod +r /etc/ssl/certs/iRedMail_CA.pem
#   # chmod +r /etc/ssl/private/iRedMail.key
#
#   If you need more restrict file permission, please use file system ACL instead.
#   Refer to command 'setfacl' and 'getfacl' for more detail.
#
# 4) Restart all services which provides SSL secure connection. e.g. http,
#    dovecot, postfix, etc. A system reboot should be easier if possible.
#

export HOSTNAME="$(hostname -f)"

# SSL key related settings.
# Country.
export TLS_COUNTRY='CN'

# State.
export TLS_STATE='GuangDong'

# City.
export TLS_CITY='ShenZhen'

# Company name here, e.g. Apple Inc.
export TLS_COMPANY="${HOSTNAME}"

# Department name.
export TLS_DEPARTMENT='IT'

# Hostname of your mail server.
export TLS_HOSTNAME="${HOSTNAME}"

# Server admininistrator's email address.
export TLS_ADMIN="root@${HOSTNAME}"

4 (edited by Mguft 2011-09-15 19:30:51)

Re: [SOLVED] Certificate SSL

Thank you. Now my certificate is directed to: mail.dominio.com.br.

Note: Even with it being the correct name, it still appears the message: "The site's security certificate is not trusted." Is this normal? Only this message will not appear if you use a certificate from a certification? And even if this message appears, the connection is being encrypted?

The information city, state, and others can be changed?

Again, thank you.
Stay with God!

==== Provide basic information to help troubleshoot ====
- iRedMail version:
- Linux/BSD distribution name and version:
- Any related log? Log is helpful for troubleshooting.
====

5

Re: [SOLVED] Certificate SSL

Mguft wrote:

Note: Even with it being the correct name, it still appears the message: "The site's security certificate is not trusted." Is this normal? Only this message will not appear if you use a certificate from a certification? And even if this message appears, the connection is being encrypted?

It's normal, because you're using a self-certificated keys. To avoid this warning message, you have to buy SSL keys from other companies, e.g. VeriSign (www.verisign.com). Search 'buy ssl cert' in google will give you more help.

And, even it shows this warning message, the connection is encrypted after you accept this warning in web browser.

Mguft wrote:

The information city, state, and others can be changed?

Of course you can change it.

6

Re: [SOLVED] Certificate SSL

It all works!
Thank you!