1 Topic by kmihalj (edited by kmihalj 2015-06-02 20:38:00)

  • kmihalj
  • Member
  • Offline
  • From: Croatia
  • Registered: 2013-07-03
  • Posts: 78

Topic: Instalation of free StartSSL certificate .... success

==== Required information ====
- iRedMail version: 0.9.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Linux/BSD distribution name and version: CentOS
- Related log if you're reporting an issue:
====

I finally got it, and succesfully installed free StartSSL certificate for all iredmail services (Apache, dovecot, postfix).

I created and installed apache certificate following this tutorial: https://www.digitalocean.com/community/ … e-on-a-vps

Then in my home dir (/home/piko/Certifikati) there was 6 files: /home/piko/Certifikati
ca-bundle.pem - StartSSL’s bundle
ca.pem - StartSSL's Root certificate
private.key - The unencrypted version of private key
ssl.crt - new certificate !!!
ssl.key - The encrypted version of your private key
sub.class1.server.ca.pem - The intermediate certificate for StartSSL

ssl.crt and sub.class1.server.ca.pem is copied to /etc/ssl/certs/ (/etc/pki/tls/certs/)
private.key is copied to /etc/pki/tls/private/

Apache
nano /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/ssl.crt
SSLCertificateKeyFile /etc/pki/tls/private/private.key
SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem

-- add bundle to trusted certificates --
cd /etc/pki/tls/certs/
cat /home/piko/Certifikati/ca-bundle.pem >> ca-bundle.crt

Dovecot
cd /etc/pki/dovecot/certs/
cp dovecot.pem dovecot.pem.orig
cat /home/piko/Certifikati/ssl.crt /home/piko/Certifikati/sub.class1.server.ca.pem > dovecot.pem
cd /etc/pki/dovecot/private/
cp dovecot.pem dovecot.pem.orig
cat /home/piko/Certifikati/private.key > dovecot.pem
nano /etc/dovecot/conf.d/10-ssl.conf

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

nano /etc/dovecot/dovecot.conf

ssl_ca =</etc/ssl/certs/ca-bundle.crt
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

Postfix
nano /etc/postfix/main.cf

smtpd_tls_key_file = /etc/pki/tls/private/private.key
smtpd_tls_cert_file = /etc/pki/tls/certs/ssl.crt
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

And that is all folks .... trusted cerificate for all services

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

kmihalj's Website

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Instalation of free StartSSL certificate .... success

Thanks for sharing. smile

3 Reply by XnIcRaM (edited by XnIcRaM 2015-11-16 09:47:50)

  • XnIcRaM
  • Member
  • Offline
  • Registered: 2015-11-16
  • Posts: 17

Re: Instalation of free StartSSL certificate .... success

I do all with this guide and now my Apache wont start when I check apache config with httpd -S then I got message:

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443          poczta.pathofexile.pl (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

in this file I change only 3 single line as has been described above, when I comment this line and uncoment the old one then Apache start, but I cant login to Roudcube I got "Error connecting with server" probably because I don't unchange all other change what I made.

Can any one help me with this problem, what I do wrong how to start Apache with new ssl key?

/EDIT/
also I find that problem is probably with 

SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem

because in ssl_error_log I find 

[error] Failed to configure CA certificate chain!

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Instalation of free StartSSL certificate .... success

Please make sure you're using the correct key/cert files.

5 Reply by XnIcRaM (edited by XnIcRaM 2015-11-16 16:41:21)

  • XnIcRaM
  • Member
  • Offline
  • Registered: 2015-11-16
  • Posts: 17

Re: Instalation of free StartSSL certificate .... success

I will change 

SSLCertificateChainFile /etc/pki/tls/certs/sub.class1.server.ca.pem

to:

SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

and now it's almost work, that's mean Apache seems to work correct, I can open /iredadmin page on my server I can login to my admin account connection it's through
https ands its trusted (I see green padlock in adress bar) I can open main mail page, roundcube but when I try login to any mail account I got message 

Error connecting with server

where are roundcube log files are to check what happend?

6 Reply by XnIcRaM

  • XnIcRaM
  • Member
  • Offline
  • Registered: 2015-11-16
  • Posts: 17

Re: Instalation of free StartSSL certificate .... success

finally I find the exact error message when I attempt roundcube login, the message is: 

Nov 16 14:32:47 poczta roundcube: <jj3ahlob> IMAP Error: Login failed for myemail@demo.com from 83.xx.xx.xx Empty startup greeting (127.0.0.1:143) in /var/www/roundcubemail-1.1.1/program/lib/Roundcube/rcube_imap.php on line 198 (POST /mail/?_task=login?_task=login&_action=login)

but still don't know what to do hmm

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Instalation of free StartSSL certificate .... success

Is dovecot service running? Do you have correct SSL cert/key in Dovecot config file (/etc/dovecot/dovecot.conf)?