PLEASE HELP! Email google thinks I'm using self-signed ssl, no pop3 access.

D

divinelighting

Verified User
Joined
Mar 17, 2008
Messages
108
My company uses gmail to access pop3 on the server, and last night gmail made changes to require strict ssl authentification (I think).

In any case, gmail gives the error "SSL error: self signed certificate", but I am not using a self-signed cert. The web domain uses EV SSL.

The domain is divinelighting.com (mail.divinelighting.com) on a dedicated IP.

The server is on a different ip, and was on a self-signed certificate, but I have installed an SSL and gmail still is not working. The server IP is 199.116.112.2 and I think the ssl is installed correctly.

I have been working on this for hours and am at a loss.
 
Here is the result, I'm not exactly sure where to go from here:

[root@karuna ~]# openssl s_client -connect karuna.divineled.com:443
CONNECTED(00000003)
depth=0 serialNumber = v1BoM/7HqX8ufa3-JgkAyqfdcVnz0KfJ, OU = GT49866760, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = karuna.divineled.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = v1BoM/7HqX8ufa3-JgkAyqfdcVnz0KfJ, OU = GT49866760, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = karuna.divineled.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = v1BoM/7HqX8ufa3-JgkAyqfdcVnz0KfJ, OU = GT49866760, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = karuna.divineled.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=v1BoM/7HqX8ufa3-JgkAyqfdcVnz0KfJ/OU=GT49866760/OU=See www.rap idssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=karun a.divineled.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[OMITTED]
-----END CERTIFICATE-----
subject=/serialNumber=v1BoM/7HqX8ufa3-JgkAyqfdcVnz0KfJ/OU=GT49866760/OU=See www. rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=ka runa.divineled.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2208 bytes and written 311 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 2B1163BAD16C363E38FB8079BA5310A7CC4D5446272D89EBE23517803D7A2C41
Session-ID-ctx:
Master-Key: 37CF96F34A501A9A827CD0981CA319B8F6783E3E96FFED5C84D38F1FF2F9BEA3 FC5125E52CF5B1E34E1107CF08132A4D
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 43 9d 46 79 bf cc 70 7b-fc 40 30 9b 6b fe 42 dc C.Fy..p{[email protected].
0010 - f2 fd 7c c5 00 bc f6 11-7b 4a 1f 78 43 c8 34 7b ..|.....{J.xC.4{
0020 - 21 bc 1a af 9d 35 52 fe-70 af d7 a3 fd d6 27 8a !....5R.p.....'.
0030 - df 44 6d 37 2e d0 4c 3d-a2 4f a0 fe 9b 9e 4b 66 .Dm7..L=.O....Kf
0040 - 14 2e 9d 50 8b 18 ee 1b-62 17 f9 9c 19 96 34 06 ...P....b.....4.
0050 - 57 eb d0 6c 6a 75 e0 1a-3e 2e 41 13 de 9c d4 08 W..lju..>.A.....
0060 - e9 61 ec 6e ce c2 a1 ac-4f cb 46 e4 01 fb 1a 12 .a.n....O.F.....
0070 - 13 56 e0 20 4e b3 a7 b1-d7 6d 39 2a b2 b4 0b a8 .V. N....m9*....
0080 - b7 82 35 89 24 72 6c 49-b3 90 3e 99 6b 63 ed 35 ..5.$rlI..>.kc.5
0090 - 60 05 0e 5a 50 84 17 ee-5d ff db 0a e9 21 5d 1a `..ZP...]....!].
00a0 - e3 24 15 42 11 86 f0 70-7e 68 0c 21 65 12 31 31 .$.B...p~h.!e.11
00b0 - 0a 9c 25 b7 4e 57 5c d9-d1 ea 02 13 61 bb 62 78 ..%.NW\.....a.bx

Compression: 1 (zlib compression)
Start Time: 1355354730
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
Click to expand...
 
After hours more unsucessful work...

To clarify, I merely need ssl on pop3, and because server ssl was self-signed, it quit working with gmail.

So I'm trying to set up ssl on my admin user account to fix this.

I have successfully got ssl working on admin domain www.divineled.com
but, still no ssl on the server IP 199.116.112.2
I am using same certificates everywhere I can find them: /etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/server.crt
Followed recommended conf changes here http://www.directadmin.com/forum/showthread.php?p=201965
Restarted httpd, no luck.

I think I must have missed a certificate installation somewhere, since it works on domain and not IP.
 
You should be able to use the same certificates as your ecommerce site. Just make sure if there is a chain certificate, that it too is installed properly, otherwise the certificate can't be verified.

Did you follow this part:
Code: 
Chained SSL certificates

Put all the certificates in the ssl_cert file. For example when using a certificate signed by TDC the correct order is:

Dovecot's public certificate
TDC SSL Server CA
TDC Internet Root CA
Globalsign Partners CA
By the looks of what I am seeing that could be your problem (note I used port 995 since that is the POP3 with ssl port):
Code: 
openssl s_client -connect karuna.divineled.com:995
CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=EssentialSSL/CN=www.divineled.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=EssentialSSL/CN=www.divineled.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=EssentialSSL/CN=www.divineled.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=EssentialSSL/CN=www.divineled.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=EssentialSSL/CN=www.divineled.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2006 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 71E687F253A57C8B0544A733769DA9C204557B3A20581804A6A166796EE1DC3C
    Session-ID-ctx: 
    Master-Key: BEB49378052AE173173D3FC51C834F0A2B3C464160A190C0E16140C0C70BB5ABEA4722291142AB4B0551544F0C082A91
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1355499388
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK Dovecot DA ready.
 
Thanks for your help. I got it working by following the instructions on http://wiki2.dovecot.org/SSL/DovecotConfiguration as you recommended. I was initially thrown because my dovecot.conf does not match the lines in the instructions. I fixed it by pointing it to a copy of my key and cert, and by putting the whole chain in the cert (starting with my domain cert and proceeding to the root cert).

The biggest stumbling block initially was the assumption that I couldn't use my website certificate for pop3. I reasoned that if the website certificate would work for email, then it would be installed automatically when I set up the domain cert on the DirectAdmin interface. Now, I am wondering why this isn't the case. If I install a cert for https://www.domain.com they why the heck doesn't DA make mail.domain.com secure as well???
 
Probably because there are lots of reasons why admins might not want to do this.

Let's discuss this. What happens if your cert is for www.example.com and you're also trying to get email addressed to the mail subdomain hosting www.anotherexample.net?

Even if this works there could be lots of good reasons to not do it, for example, then each time you add another domain Certificate, wouldn't it replace the one currently installed? If so, aside from exposing to the world that yourexample.com is hosted on the same server as example.com (which either domain owner might consider a serious breach of privacy), what are the other issues?

Jeff
 
You must log in or register to reply here.
Back
Top