|
List Info
Thread: Install SSL certificate
|
|
| Install SSL certificate |
 
Denmark |
2007-03-28 13:49:33 |
Hi,
I'm running Courier IMAP 4.0.2 over SSL with a self-signed
certificate.
I have recently bought a GlobalSign certificate that i want
to use
instead, but it doesn't work. I have created a file
containing the key
and the certificate to replace the imapd.pem. I have also
set
TLS_TRUSTCERTS to point to the GlobalSign CA cert. However i
get this
error in /var/log/maillog:
imapd-ssl: Enter PEM pass phrase:Enter PEM pass phrase:Enter
PEM pass
phrase:Enter PEM pass phrase:Enter PEM pass phrase:Enter PEM
pass
phrase:Enter PEM pass phrase:Enter PEM pass phr
ase:Enter PEM pass phrase:Enter PEM pass phrase:
imapd-ssl: couriertls: /usr/local/share/real-cert.pem:
error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt
Any suggestions?
B. regards,
Thomas
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-imap mailing list
Courier-imap lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-im
ap
|
|
| Re: Install SSL certificate |
 
United States |
2007-03-28 17:50:14 |
Thomas writes:
> Hi,
>
> I'm running Courier IMAP 4.0.2 over SSL with a
self-signed certificate.
> I have recently bought a GlobalSign certificate that i
want to use
> instead, but it doesn't work. I have created a file
containing the key
> and the certificate to replace the imapd.pem. I have
also set
> TLS_TRUSTCERTS to point to the GlobalSign CA cert.
However i get this
> error in /var/log/maillog:
>
> imapd-ssl: Enter PEM pass phrase:Enter PEM pass
phrase:Enter PEM pass
> phrase:Enter PEM pass phrase:Enter PEM pass
phrase:Enter PEM pass
> phrase:Enter PEM pass phrase:Enter PEM pass phr
> ase:Enter PEM pass phrase:Enter PEM pass phrase:
> imapd-ssl: couriertls: /usr/local/share/real-cert.pem:
> error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt
>
> Any suggestions?
This is a passphrase-protected certificate key. Courier
cannot use
passphrase-protected certificate keys.
And it's not TLS_TRUSTCERTS that you have to set, but
TLS_CERTFILE, which
you already have properly set. It's just that your
certificate key is
passphrase protected, which cannot be use with an automated
start script.
It's obviously not feasible for you to employ someone to sit
in front of
your console 24 hours a day, typing in your passphrase for
each incoming SSL
connection 
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-imap mailing list
Courier-imaplists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-im
ap
|
|
| Re: Install SSL certificate |
Denmark |
2007-03-29 01:21:37 |
Sam Varshavchik wrote:
> Thomas writes:
>
>> Hi,
>>
>> I'm running Courier IMAP 4.0.2 over SSL with a
self-signed
>> certificate. I have recently bought a GlobalSign
certificate that i
>> want to use instead, but it doesn't work. I have
created a file
>> containing the key and the certificate to replace
the imapd.pem. I
>> have also set TLS_TRUSTCERTS to point to the
GlobalSign CA cert.
>> However i get this error in /var/log/maillog:
>>
>> imapd-ssl: Enter PEM pass phrase:Enter PEM pass
phrase:Enter PEM pass
>> phrase:Enter PEM pass phrase:Enter PEM pass
phrase:Enter PEM pass
>> phrase:Enter PEM pass phrase:Enter PEM pass phr
>> ase:Enter PEM pass phrase:Enter PEM pass phrase:
>> imapd-ssl: couriertls:
/usr/local/share/real-cert.pem:
>> error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt
>>
>> Any suggestions?
>
> This is a passphrase-protected certificate key.
Courier cannot use
> passphrase-protected certificate keys.
>
> And it's not TLS_TRUSTCERTS that you have to set, but
TLS_CERTFILE,
> which you already have properly set. It's just that
your certificate
> key is passphrase protected, which cannot be use with
an automated start
> script. It's obviously not feasible for you to employ
someone to sit in
> front of your console 24 hours a day, typing in your
passphrase for each
> incoming SSL connection
>
Ok, thank you for the answer. That really sucks...i got it
working with
Apache which just asked for the password at startup. Why
isn't there a
similar solutions in Courier? Does it mean that Courier
can't be used
with "real" certificates?
>
>
>
>
------------------------------------------------------------
------------
>
>
------------------------------------------------------------
-------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the
chance to share your
> opinions on IT & business topics through brief
surveys-and earn cash
> http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
>
>
>
------------------------------------------------------------
------------
>
> _______________________________________________
> Courier-imap mailing list
> Courier-imaplists.sourceforge.net
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-im
ap
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-imap mailing list
Courier-imaplists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-im
ap
|
|
| Re: Install SSL certificate |
United States |
2007-03-29 06:06:10 |
Thomas writes:
> Sam Varshavchik wrote:
>> Thomas writes:
>>
>>> Hi,
>>>
>>> I'm running Courier IMAP 4.0.2 over SSL with a
self-signed
>>> certificate. I have recently bought a
GlobalSign certificate that i
>>> want to use instead, but it doesn't work. I
have created a file
>>> containing the key and the certificate to
replace the imapd.pem. I
>>> have also set TLS_TRUSTCERTS to point to the
GlobalSign CA cert.
>>> However i get this error in /var/log/maillog:
>>>
>>> imapd-ssl: Enter PEM pass phrase:Enter PEM pass
phrase:Enter PEM pass
>>> phrase:Enter PEM pass phrase:Enter PEM pass
phrase:Enter PEM pass
>>> phrase:Enter PEM pass phrase:Enter PEM pass
phr
>>> ase:Enter PEM pass phrase:Enter PEM pass
phrase:
>>> imapd-ssl: couriertls:
/usr/local/share/real-cert.pem:
>>> error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt
>>>
>>> Any suggestions?
>>
>> This is a passphrase-protected certificate key.
Courier cannot use
>> passphrase-protected certificate keys.
>>
>> And it's not TLS_TRUSTCERTS that you have to set,
but TLS_CERTFILE,
>> which you already have properly set. It's just
that your certificate
>> key is passphrase protected, which cannot be use
with an automated start
>> script. It's obviously not feasible for you to
employ someone to sit in
>> front of your console 24 hours a day, typing in
your passphrase for each
>> incoming SSL connection
>>
>
> Ok, thank you for the answer. That really sucks...i got
it working with
> Apache which just asked for the password at startup.
Why isn't there a
> similar solutions in Courier? Does it mean that Courier
can't be used
> with "real" certificates?
Of course it can be used with real certificates, just not
passphrase-
protected ones.
Unlike Apache, which starts and runs continuously, the esmtp
service gets
started only after a new incoming connection is established.
SMTP is much
more complicated than HTTP. It's a completely different
world.
I believe that the openssl tool can be used to unprotect a
passphrase-protected certificate key. I do not remember the
actual command,
though.
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-imap mailing list
Courier-imaplists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-im
ap
|
|
| Re: Install SSL certificate |
|
2007-03-31 03:44:48 |
On Thu, Mar 29, 2007 at 02:13:11PM +0200, Tony Earnshaw
wrote:
> >I believe that the openssl tool can be used to
unprotect a
> >passphrase-protected certificate key. I do not
remember the actual
> >command, though.
>
> With an OpenSSL pkcs#7 cert in pem format (haven't ever
done this with
> der format stuff) on a rig boasting OpenSSL (there are
those that don't):
>
> [cp|mv] cert.pem cert.pem.orig
> 'openssl rsa -in cert.pem.orig -out cert.pem'
> Give password, make sure that cert.pem is now the
actual cert used.
Certificates are not passphrase-protected: private keys
are.
There's info on how to do this in the mod_ssl FAQ.
http://www.metronet.com/manual/mod/mod_ssl/ssl_faq.
html#ToC31
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-imap mailing list
Courier-imaplists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-im
ap
|
|
| Re: Install SSL certificate |
 
Netherlands |
2007-03-31 10:46:41 |
Brian Candler wrote, on 31. mar 2007 10:44:
> Certificates are not passphrase-protected: private keys
are.
Sigh, I know. This was a *cert* (read up on openssl on
Linux), I've done
it a million times, if I've done it once ...
> There's info on how to do this in the mod_ssl FAQ.
> http://www.metronet.com/manual/mod/mod_ssl/ssl_faq.
html#ToC31
I still love you ;)
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Courier-imap mailing list
Courier-imaplists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-im
ap
|
|
[1-6]
|
|
|
about | contact Other archives ( Real Estate discussion Medical topics )
|