Welcome Guest. Please Login or Register  
Client Area  |  Softaculous Cloud  |  Calendar  |  Quick Links  |  
   


You are here: Index > Webuzo > General Support > Topic : Error installing SSL certificate

Page 1 of 212>>>All


Threaded Mode | Print  

 Error installing SSL certificate (22 Replies, Read 41605 times)
emco83
Posted on # November 8, 2015, 1:18 pm
Group: Member
Post Group: Newbie
Posts: 16
Status:
I've managed to get the free certificate from StartSSl, so they are three codes:
1. Encrypted private key
2. Decrypted private key that I got from the StarSSL Toolbox
3. The certificate

I've tried to install on the Webuzo / Install certificate by filling the proper codes:
"Paste your key here" - I've pasted here the decrypted private key;
"Paste your Certificate here" - I've pasted the certificate;
"Paste the CA bundle here (Optional)" - I don't have CA bundle, so I left this empty;

After clicking on Install, I've got this error: "Key and Certificate mismatch.".

I've checked couple of times and the same error keeps displaying.

Has anyone else has this problem? I'm using the latest Webuzo 2.3.6 version.
IP: --   

Error installing SSL certificate
valley
Posted on # November 11, 2015, 5:06 am | Post: 1
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
Could you confirm that you are not adding any additional characters while pasting.

Alternately, you can upload your private key and certificate file and then install the same from the next menu.

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Error installing SSL certificate
emco83
Posted on # November 11, 2015, 6:49 pm | Post: 2
Group: Member
Post Group: Newbie
Posts: 16
Status:
Hi, Valley.

I've tried that too.
First I went to the "Private key" section in Webuzo and I've uploaded the decoded private key. It did pass well. After that I went to the "Certificate" section and I've uploaded the certificate key.
I can see on top the name of the host and the key inside with all the details, so it's uploaded successfully.
What should I do next? If I try in the section "Install certificate" again if I paste the two codes in the proper fields, it shows the same error: "Key and Certificate mismatch.".

I'm doing all this, 'cos I want email server with SSL. Right now when I try to setup email on Thunderbird, after filling the login details, it shows:
Incoming: IMAP, mydomain.com, No encryption
Outgoing: SMTP, mydomain.com, No encryption

where "mydomain.com" is the real domain.
After clicking on Done, it shows that nasty red screen with alert that the server does not use encryption.

Am I missing something?
IP: --   

Error installing SSL certificate
emco83
Posted on # November 11, 2015, 7:53 pm | Post: 3
Group: Member
Post Group: Newbie
Posts: 16
Status:
I may went to a wrong direction, so I'll try to recap this:

I have a VPS with Webuzo.
I've installed Exim+ Dovecot and after that I've created couple of emails. On my previous post I mention about the red warning message from Thunderbird, so Valley, please explain me this:
How can I set SSL on the email server to avoid that risk warning message?  I want my email server to use a encryption and I want this only for my emails, not the websites. Thanks.
IP: --   

Error installing SSL certificate
peopleinside
Posted on # November 13, 2015, 1:57 pm | Post: 4
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		Hi,
if you want you can use TLS certificate for free and for skip the warning you can add exception.

For more details please read here:
http://www.softaculous.com/board/index.php?tid=8325&title=Email_server_with_encryption

If you want use SSL for email that can be more complicate.
You need to by an SSL certificate.

After that you need to fully install with the Webuzo procedure for your domain (this will not enforce your website to use SSL)

http://webuzo.com/wiki/Install_SSL_Certificate

After you need enter on SSH:

root > cd
                /etc/exim/
root > vi ./exim.conf

here you have to edit the two TLS row and put your .pem file patch of the certificate

after :wq for save

after that you need edit dovecot conf

you need open port 995: Root > cd/etc/dovecot/conf.d
Root > vi./10-ssh.confand
change SSL/TLS from no to yes, for change that press I of Insert "on
the keybord" and edit no to yes then press esc "on the keybord", now digit
:wq and press enter
Root > service dovecot restart
I hope to not have lost any passage, it's a little bit complicated operation install SSL on email. You need know better SSH and how server works or you risk to make something wrong.
Using TLS can be the alternative. Just configure Thunderbird to use TLS


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Error installing SSL certificate
peopleinside
Posted on # November 13, 2015, 1:57 pm | Post: 5
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		http://wiki.dovecot.org/SSL/DovecotConfiguration

-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Error installing SSL certificate
emco83
Posted on # November 13, 2015, 10:10 pm | Post: 6
Group: Member
Post Group: Newbie
Posts: 16
Status:
I've checked that link too previously, but I didn't understand anything. Very bad for a docummentation...
How can I install SSL in Dovecot configuration?

Does anyone here has some setup?
IP: --   

Error installing SSL certificate
peopleinside
Posted on # November 13, 2015, 10:15 pm | Post: 7
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		http://www.softaculous.com/board/index.php?tid=6011&title=Webuzo_Server,_how_to_open_port_995_who_is_not_open

you have to look into 10-ssl.conf

activate ssl and check if there is patch to certificate. If you find here you should change with the patch of your SSL

I suggest to copy the row, comment and past under so edit


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Error installing SSL certificate
emco83
Posted on # November 14, 2015, 3:28 pm | Post: 8
Group: Member
Post Group: Newbie
Posts: 16
Status:
Hi, peopleinside.
I've edited the 10-ssl.conf and set the ssl = yes.

"check if there is patch to certificate. If you find here you should change with the patch of your SSL" I don't understand this sentence.

After setting SSL to yes, what else I'm supposed to change? Right now the email settings shows the same (no encryption).

Also to answer about the other topic, the Thunderbird usually auto detects the settings on the server. Even if I try to set SSL ot STARTTLS manually, the Thunderbird fails to find the server settings.

How come nobody from the support team hasn't answered yet about this important issue?

Here's my two questions:
1. Do I need to set/install SSL certificate in the Webuzo panel for encrypt the email server?
2. How do I set an encryption for the email server?
IP: --   

Error installing SSL certificate
emco83
Posted on # November 14, 2015, 3:43 pm | Post: 9
Group: Member
Post Group: Newbie
Posts: 16
Status:
EDIT for the previous post:
After setting ssl=yes, I've noticed Thunderbird shows on Incoming:imap.mydomain.com.STARTTTS - that's great, but
Outgoing:SMTP.mydomain.com,No encryption - so it still shows the red screen with the warning.

I don't have problem with that, by it's for our clients and it's disturbing for them like that.
We have another server that is standard shared host with cPanel and the email settings is fine, no warnings at all. It uses SSL and STARTTLS and that's set up by the hosting company.
IP: --   

Error installing SSL certificate
peopleinside
Posted on # November 14, 2015, 5:43 pm | Post: 10
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		Hi emco83,

BEFORE FOLLOW THIS SUGGESTION PLEASE MAKE SURE TO BACKUP ALL EDITED FILE AND NOTE WHAT YOU HAVE EDITED.

I AM NOT Webuzo Staff so my Instruction can be wrong or incomplete or Imperfect.

What I am told you here is what i have done to fix this issue, try to follow if you want but is your risk so please backup any edited file and make sure to remember what you have edited or wait for a support of Webuzo Team.

I will try to respond to your questions.
I am a normal user and I Am not Team of Webuzo Support so this afternoon I can't give to you perfect guide and help. Sorry for that.

Your question number 1:
You don't need SSL for not have warning in Thunderbird and for have email encrypted. You can use STARTTLS this will show a warning in Thunderbird but can be added an Exception and the client will not show any more the warning.

In my experience I have see with time my STARTTLS stopped to work so I had issue with email. In this case i learned you need create self signed certificate Manually via SSH and this is a little long procedure to explain and I hope is not your case. This is good when in exim and dovecot you can see the TLS patch and this is not working on your email client.

Now I AM using my SSL certificate as I AM using for my website but you are not forced to buy an SSL certificate but with that maybe Thunderbird will not show the warning. I AM Using a Positive SSl of Comodo bougth from ssls.com

For reply to your question I should enter in my server file and look because I AM not expert I have learned with time all of those things so it's little hard for me help you but I will try as now I have little time.

Let me check in my server.

So your question number 2 I am understanding now you have solved for incoming email

LET me try to explain how to solve for outgoing server.
In the file 10-ssl.conf located on /etc/dovecot/conf.d the setting row ssl = yes must be yes.

below you will find something like:

     
     
       
        ssl_cert = </etc/ssl/certs/foo.com_wildcard.pem
ssl_key = </etc/ssl/private/foo.com_wildcard.key

here I think for make work dovecot I have generated self signed certificate and after that checked the .pem file was in dovecot/certs and private folder.

Please after checking your ssl is set to yes on 10-ssl run service dovecot restart
now check if by removing completely the email account from Thunderbird and by installing new email profile from the start you are able to select STARTTLS also for outgoing. Maybe Thunderbird will not select this by default so please force it manually and test again.

IF not work you need to create Self signed certificate for use TLS on Dovecot.
This is more complicate also because you will need edit this two row

ssl_cert = </etc/ssl/certs/foo.com_wildcard.pem
ssl_key = </etc/ssl/private/foo.com_wildcard.key

and put two .pem file because you will not able to put .key file.
In my dovecot file I have two .pem file.
Let me try to explain how i setup dovecot for work with TLS

Generate Dovecot or EXIM (with different patch) certificate:root> cd /

root > openssl req -new -x509 -days 1000 -nodes -out "/etc/pki/dovecot/certs/cadovecot.pem" -keyout "/etc/pki/dovecot/private/cadovecot.pem"
With this command you can verify the certificate (if have errors or not) Root > cat /etc/dovecot/conf.d/10-ssl.conf | grep ssl
now you need find the new cadovecot.pem and check is in the right folder.What is the right folder?
You need open 10-ssl.conf and look at the row:ssl_cert = </etc/ssl/certs/foo.com_wildcard.pem
ssl_key = </etc/ssl/private/foo.com_wildcard.key
So you need have the cadovecot.pem generated into certs and private folder then i suggest to copy this two row "ssl_cert" and "ssl_key"paste under and comment the first you will have:
ssl_cert = </etc/ssl/certs/foo.com_wildcard.pem
ssl_key = </etc/ssl/private/foo.com_wildcard.key
ssl_cert = </etc/ssl/certs/foo.com_wildcard.pem
ssl_key = </etc/ssl/private/foo.com_wildcard.key
Now i suggest to comment the first two row so you will have in 10-ssl.conf
#ssl_cert = </etc/ssl/certs/foo.com_wildcard.pem
#ssl_key = </etc/ssl/private/foo.com_wildcard.key
ssl_cert = </etc/ssl/certs/foo.com_wildcard.pem
ssl_key = </etc/ssl/private/foo.com_wildcard.key
Now you have to edit the non commented row with the new name of the self generated certificate so foo.com_wildcard.pem will be cadovecot.pem and foo.com_wildcard.key will be cadovecot.pem
you need to save :wq
you need to restart dovecot
Root > service dovecot restartRoot > exim restart
Now try to configure from start the email account in Thunderbird.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Error installing SSL certificate
peopleinside
Posted on # November 14, 2015, 5:59 pm | Post: 11
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		Sorry my post is a little horrible with English errors and not only this.

Backup always your server files before edit it and make note of what you edit. You are doing this at your own risk.

Seems you need generate a Self Signed Certificate if by enabling ssl on 10-ssl.conf and after restart dovecot and exim you continue to not see a working STARTTLS email connection for outgoing email.

Generate a Self Signed certificate for Dovecot:
After logged in in SSH

Root > cd /
Root > openssl req -new -x509 -days 1000 -nodes -out
"/etc/pki/dovecot/certs/cadovecot.pem" -keyout
"/etc/pki/dovecot/private/cadovecot.pem"

With the command:
Root > cat /etc/dovecot/conf.d/10-ssl.conf | grep ssl

you will check there are no errors.

Now you need open the file 10-ssl.conf and set the correct patch to ssl_cert and ssl_key by editing the name of the .pem file and .key file

the .key file should be replaced with the .pem file too.

I suggest to copy this two row below, the original row, comment the first with # before each row and edit the copy with the custom name of your new generated self signed certificate

After that please save by using :wq

Now please restart exim and dovecot

Root > service dovecot restart
Root > service exim restart

Now STARTTLS should work also for outgoing email.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Error installing SSL certificate
emco83
Posted on # November 15, 2015, 10:10 am | Post: 12
Group: Member
Post Group: Newbie
Posts: 16
Status:
I've followed your instruction very carefully, but there are some gaps.

OK, first of all I've made a backup of the 10-ssl.conf file.

On the terminal I've used this command: openssl req -new -x509 -days 1000 -nodes -out
"/etc/pki/dovecot/certs/cadovecot.pem" -keyout
"/etc/pki/dovecot/private/cadovecot.pem"

and filled all the fields (area code, state, company name, email...) and I've checked the locations, so the files are created.

With this command: cat /etc/dovecot/conf.d/10-ssl.conf | grep ssl
I've checked and there are no errors.

After that I've edited the 10-ssl.conf file and make these lines like this:

#ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
#ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_cert = </etc/pki/dovecot/certs/cadovecot.pem
ssl_key = </etc/pki/dovecot/private/cadovecot.pem

So, the commented lines are actually the original paths and I've set the new created files with /cadovacot.pem.

On your previous post you wrote this:
ssl_cert = </etc/ssl/certs/foo.com_wildcard.pem

ssl_key = </etc/ssl/private/foo.com_wildcard.key


but /etc/ssl/private...are not the proper paths.

Anyway, after saving the changes I've restarted The exim and Dovecot with these commands:

service dovecot restart

service exim restart


I'm logged as a root user, so I don't need to write Root as a command.

OK, after that I've tried with my email info@mydomain.com on Thunderbird where mydomain.com is the primary domain. Unfortunately the outgoing still miss the STARTTLS and instead shows No Encryption. I've tried manually to set using STARTTLS, but the Thunderbird shows: "Thunderbird failed to find the settings for your email account".  Damn.

I've noticed something different with shared hosting account and the VPS.

On the VPS I have emails there from different websites. For an example:
info@mydomain.com, office@mydomain.com,
info@mydomain2.com, help@mydomain2.com


let's say I'm trying to set this email info@domain.com
Every time when I set in Thunderbird I see it like this:


incoming:IMAP,mydomain.com,STARTTLS
outgoing:SMTP,mydomain.com,No Encryption


If I try to set info@domain2.com, the result is like this:

incoming:IMAP,mydomain2.com,STARTTLS
outgoing:SMTP,mydomain2.com,No Encryption

But on the shared hosting when I try with to set info@domain.com, the result is like this:

Incoming:IMAP, server.hostingcompanyname.com, SSL
Outgoing: SMTP, server.hostingcompanyname.com, SSL

And if I try other email from other domain, let's say info@domain2.com, the result is like this:

Incoming:IMAP, server.hostingcompanyname.com, SSL
Outgoing: SMTP, server.hostingcompanyname.com, SSL

So, you can see every time the results of the host names are the same.

How can I do this?

By the way, I have StartSSL certificate, but I don't know how to use it. As I previously wrote the Webuzo shows pass missmatch when I try to install, even I've double checked.

The Webuzo documentation doesn't help at all for Email + SSL.

IP: --   

Error installing SSL certificate
peopleinside
Posted on # November 15, 2015, 10:44 am | Post: 13
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		Hi,
thank you for your update.

Quote
but /etc/ssl/private...are not the proper paths.

You are right and you done correct. My error.

Quote
Every time when I set in Thunderbird I see it like this:
incoming:IMAP,mydomain.com,STARTTLS
outgoing:SMTP,mydomain.com,No Encryption


Have you tried to remove completely the email account also remove SMTP?
When you remove an account email from Thunderbird seems the SMTP settings is kept and not removed.

For remove or edit you should scroll down all Thunderbird list settings and go on SMTP.

What you do seems to be correct so for me seems all correct to work.


Quote
But on the shared hosting when I try with to set info@domain.com, the result is like this:
Incoming:IMAP, server.hostingcompanyname.com, SSL
Outgoing: SMTP, server.hostingcompanyname.com, SSL
And if I try other email from other domain, let's say info@domain2.com, the result is like this:
Incoming:IMAP, server.hostingcompanyname.com, SSL
Outgoing: SMTP, server.hostingcompanyname.com, SSL

So, you can see every time the results of the host names are the same.
How can I do this?
By the way, I have StartSSL certificate, but I don't know how to use it. As I previously wrote the Webuzo shows pass missmatch when I try to install, even I've double checked.
The Webuzo documentation doesn't help at all for Email + SSL.


In the shared hosted is all more easy because email are configured and maybe the shared hosting bought and setup an SSL certificate.

As I know StartSSL has some issue with Webuzo especially for email.
I have found after installing StartSSL my Apache was stopping to work and all my website down.

Also when I install StartSSL certificate i can find a relative .pem file in the server who is corrupted and need to be fixed manually in the code.

So this kind of certificate can be good for SSL the Website but there still issue with Webuzo my server was not working any-more after some while I installed this certificate.

For have SSL also in email you should Buy a Positive SSL certificate so this will work better.

pass missmatch seems you have set one password before for the certificate and when the system required again to you the password you don't put the correct password.

I Am very sorry but seems if you not solve by try to check well in Thunderbird to have removed fully the email account also SMTP and tried again to add and then select manually StartTLS (if you don't have bought SSL)... you need to open a webticket with Webuzo or wait a reply of a Staff here. I can't help you any-more because I need to try directly in the server and I can't ask to you access to your server. Is better the support of the Panel can help you in that, they are more expert but I have fixed the issue you told by myself.

If you buy SSL you should find the generated .pem file and move a copy to the dovecot directories so edit 10-ssl.conf with the right patch of your .pem file of the certificate.

You should use in this case domain.com as mail DNS record if your certificate doesn't support all subdomain to like mail.mydomain.com

So in DNS use mydomain.com as mail DNS record and that is.

All you done seems be correct for me.
Dovecot will work with encryption of your email once the file 10-sll.conf is well configured with ssl = yes and the right certificate file and patch.

This seems all you need. Maybe after that a restart of Dovecot and exim without error.

What you can try if still facing the issue is edit the exim.conf file by coping again the two original certificate row patch and comment it, past and edit below with the new .pem file generated by you.

Also after that restart exim and dovecot and try again in Thunderbird.

You should also test if outgoing encrypted connection port is opened.
So you should check to have setup the right DNS setting for your email server.

If your email server is mail.mydomain.com you should check if port 465 is open. Online I had found in the past a website for do that check but I can't find now.
I will look better...
Maybe you can try here:
http://www.infobyip.com/tcpportchecker.php

Hope it helps.




-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Error installing SSL certificate
peopleinside
Posted on # November 15, 2015, 10:45 am | Post: 14
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate 		Also if you not solve try to restart server or restart linux ip tables, deactivate and reactivate it.

The port 465 must be opened for you to be able to use Encrypted outgoing email. You enable this port on 10-ssl.conf by set yes to ssl.
You have already done this.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

« Previous    Next »

Threaded Mode | Print  

Page 1 of 212>>>All


Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is April 19, 2024, 10:11 pm.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.036