Discussion:
TLS and private certs
(too old to reply)
Andrew Diederich
2006-02-23 17:30:39 UTC
Permalink
On 2/23/06, Rick Zeman <***@gmail.com> wrote:
<snip>
Makes sense since this is a self-signed cert. However, even turning the TLS
log level to 0 still gives me the 5 lines for every connection to that box.
So, is there any way to NOT get these, short of buying a commercial cert for
the GroupWise gateway? Is there a way to import that cert (.b64) into the
linux certificate store so postfix won't (justifiably) fill up my mail logs?
<snip>

I think postfix uses the openssl root CA list. On my SuSE box that's
in /etc/ssl/certs/. You could add the root cert in PEM format (base
64) there, run c_rehash from openssl on that directory, and see if it
goes away.

I put the root CAs I cared about in /etcpostfix/CAdir, ran c_rehash, then set
smtpd_tls_CApath = /etc/postfix/CAdir

While I didn't use a self-signed cert, I used the free ones from
CAcert: http://www.cacert.org.

--
Andrew Diederich
Victor Duchovni
2006-02-23 17:43:06 UTC
Permalink
Post by Andrew Diederich
<snip>
Makes sense since this is a self-signed cert. However, even turning the TLS
log level to 0 still gives me the 5 lines for every connection to that box.
So, is there any way to NOT get these, short of buying a commercial cert for
the GroupWise gateway? Is there a way to import that cert (.b64) into the
linux certificate store so postfix won't (justifiably) fill up my mail logs?
<snip>
I think postfix uses the openssl root CA list.
This is not correct.

http://www.postfix.org/postconf.5.htmll#smtp_tls_CAfile
http://www.postfix.org/postconf.5.htmll#smtp_tls_CApath

I would not sweat the noise in the logs. Disk space is cheap. Also
syslog-ng can filter these out if you want.

This said the .b64 files can be converted to PEM as follows:

openssl base64 -d -in xyzzy-ca.b64 |
openssl x509 -inform DER -out xyzzy-ca.pem

then add the xyzzy-ca.pem file to the CApath directory and run
c_rehash, or append it to the CAfile...
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Victor Duchovni
2006-02-23 18:05:37 UTC
Permalink
[snip]
openssl base64 -d -in xyzzy-ca.b64 |
openssl x509 -inform DER -out xyzzy-ca.pem
then add the xyzzy-ca.pem file to the CApath directory and run
c_rehash, or append it to the CAfile...
Interestingly, that just changed the nature of the log entries. However,
Feb 23 13:00:27 mailhub postfix/smtp[3692]: verify error:num=2:unable to get
issuer certificate
Feb 23 13:00:27 mailhub postfix/smtp[3692]: issuer= /O=NICI Licensed
CA/CN=NICI Machine-Unique CA 11EF7CA7-1A2C903B35A5585E6D04F121DE69A541
Feb 23 13:00:27 mailhub postfix/smtp[3692]: verify error:num=27:certificate
not trusted
Feb 23 13:00:27 mailhub postfix/smtp[3692]: Peer certficate could not be
verified
You need to add trust for the root CA certificate, not the server
certificate.
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Wietse Venema
2006-02-23 17:55:01 UTC
Permalink
Hi all,
I'd set up TLS on my postfix 2.15 mail gateway a few weeks ago. Just today
I'd added TLS to our internal mail server (GroupWise 6.5.4) also using a
self-signed certificate generated by the Novell system and am getting these
Feb 23 10:08:27 mailhub postfix/smtp[2937]: setting up TLS connection to
mhtc.melwood.com
Feb 23 10:08:27 mailhub postfix/smtp[2937]: verify error:num=20:unable to
get local issuer certificate
Feb 23 10:08:27 mailhub postfix/smtp[2937]: verify error:num=27:certificate
not trusted
Feb 23 10:08:27 mailhub postfix/smtp[2937]: verify error:num=21:unable to
verify the first certificate
Feb 23 10:08:28 mailhub postfix/smtp[2937]: Peer certficate could not be
verified
Makes sense since this is a self-signed cert. However, even turning the TLS
log level to 0 still gives me the 5 lines for every connection to that box.
So, is there any way to NOT get these, short of buying a commercial cert for
the GroupWise gateway? Is there a way to import that cert (.b64) into the
linux certificate store so postfix won't (justifiably) fill up my mail
logs? If the answer is "Yes" please use lots of one syllable words as
setting up the TLS for postfix is my only experience with SSL on Linux. :-)
I used the quick-and-dirty instructions in TLS_README to install
the client and CA certificate, and have no such warnings in the
log.

http://www.postfix.org/TLS_README.html#quick-start

Wietse
Victor Duchovni
2006-02-23 20:00:54 UTC
Permalink
Re what Victor was saying, I'm pretty sure that I exported the cert from the
Tree CA, not from the server level.
The OpenSSL library disagrees, and I am not prone to argue with it. :-)

Is the server certificate signed directly by the Root CA, or an
intermediate CA? Perhaps the missing certificate is an intermediate CA,
in which case the server is misconfigured, it should be including the
intermediate CA certificates in its SSL-helo response:

http://www.postfix.org/TLS_README.html#server_cert_key
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Wietse Venema
2006-02-23 22:17:40 UTC
Permalink
Post by Wietse Venema
I used the quick-and-dirty instructions in TLS_README to install
the client and CA certificate, and have no such warnings in the
log.
http://www.postfix.org/TLS_README.html#quick-start
I referred to that fine document whilst setting up TLS in the first place.
However, unless I'm mistaken (which if you're saying one thing and I'm not
following that's the case), that's germane for generating and importing
self-signed certificates for that particular server using the postfix
server's CA, NOT for a cert generated on a different server with a different
CA?
No. I used these instructions to generate MULTIPLE certificates
for MULTIPLE machines using a SINGLE certificate authority.

Wietse

Continue reading on narkive:
Loading...