• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Mail Problem with TLS / SSL and PHP 5.6

M

Michael Raeck

New Pleskian
Hey Guys,

I have a strange Problem,

We use a E-Commerce system called Shopware, we updated this system, but now it needs php 5.6, no problem i thougth, but i had a reallly strange problem.

with php 5.6 All encrypted client streams now enable peer verification by default.

see here:

http://php.net/manual/en/migration56.openssl.php

Thatswhy i had to configure the SSL Certificates for the domain, to be used by Dovecot.

I followed this:


test -e /etc/postfix/postfix_default.pem && cp /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.pem.original
test -e /etc/dovecot/private/ssl-cert-and-key.pem && cp /etc/dovecot/private/ssl-cert-and-key.pem /etc/dovecot/private/ssl-cert-and-key.pem.original

cat /root/zertifikat.pem >/etc/postfix/postfix_default.pem

test -e /etc/dovecot/private/ssl-cert-and-key.pem && cat /root/zertifikat.pem >/etc/dovecot/private/ssl-cert-and-key.pem

test -e /etc/init.d/postfix && /etc/init.d/postfix restart
test -e /etc/init.d/dovecot && /etc/init.d/dovecot restart

test -e /sbin/service && service postfix restart
test -e /sbin/service && service dovecot restart



with this pem file:

-----BEGIN RSA PRIVATE KEY-----

MY PRIVATE SSL SERVER KEY

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

THATWE Intermediate

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

THATWE Intermediate

-----END CERTIFICATE-----

WHEN I NOW TRY THIS:

openssl s_client -showcerts -connect ****.de:443 -state -debug

IT works, BUT:

i get:

verify return code: 20 (unable to get local issuer certificate)

So he dosnt find the issuer certificate
After searching for hours, I found:

openssl s_client -connect *****.de:443 -CApath /etc/ssl/certs

does the trick. And it works with:

Verify return code: 0 (ok)


Now my question:

How can i tell Plesk or openSSL or PHP where he finds the root certificates?

I also tried to append the thatwe Server root at the end of the .pem file, but it also don't work.

This is my dovecot config:

#ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem

#ssl_key = </etc/dovecot/private/ssl-cert-and-key.pem


ssl_key = </etc/ssl-certs/****.de.pem

ssl_cert = </etc/ssl-certs/****.de.pem

ssl_ca = </etc/ssl-certs/****.de.ca.pem

I tried the commented and uncommented lines, both give the same results, its like dovecot also not knowing where to find the thatwe Root cerfiticate.

I know this question is really complex, i hope anyone can help me.

Thanks in advance.
 
Hi Michael Raeck,

first, pls. be noted that you should "normally" contact your certificate issuer with such questions, because even that this is a "plesk-related" forum, your certificate issuer should inform you about the correct usage of your paid certificate. ( "PAID" certificates INCLUDE support! ;) )
THAWTE for example provides as well a "Knowledge base" and a "FAQ" site ( i.e.: https://search.thawte.de/support/ssl-digital-certificates/index.html ).


Michael Raeck said:
with this pem file:

-----BEGIN RSA PRIVATE KEY-----

MY PRIVATE SSL SERVER KEY

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

THATWE Intermediate

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

THATWE Intermediate

-----END CERTIFICATE-----
Click to expand...

The "trick" is to simply go the very standard way:
Create TWO pem - files ( one certificate - one key ) and adjust the files as for example:

KEY:
Code: 
-----BEGIN RSA PRIVATE KEY-----

domain-certificate-key-from-your-issuer

-----END RSA PRIVATE KEY-----


CERTIFICATE:
Code: 
-----BEGIN CERTIFICATE-----

domain-certificate-from-your-issuer

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

issuer-intermediate-certificate
AND
issuer-root-certificate

-----END CERTIFICATE-----

Pls. have a CLOSER look and note TWO certificates ( intermediate AND root ) in the second certificate section, which is the location, where you normally only would use the root certificate.
For THAWTE certificates, you will have to download the corresponding intermediate ( Intermediate CA ) and root certificate ( Thawte Primary Root CA ) for your paid certificate at for example:


Another note here as well: Pls. download the CORRESPONDING certificates for your paid certificate and don't mix SHA-1 and SHA-2 certificates!!!


Another very important note:
IF you created your certificate with a password, then you should consider to remove that password, if you don't want to insert the password at each service restart from postfix/qmail, or courier-imap/dovecot.
A possible linux command for this goal would be:

openssl rsa -in domain-certificate-key -out domain-certificate-key-without-password.key




Additional information:

For postfix, pls. make sure to comment out the standard entries at "main.cf":
Code: 
...
#smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
...

and add for example:
Code: 
...
smtpd_tls_cert_file = /etc/postfix/private/001-DOMAIN-CERTIFICATE.pem
smtpd_tls_key_file = /etc/postfix/private/002-DOMAIN-CERTIFICATE-KEY.pem
smtpd_tls_CAfile = /etc/postfix/private/003-INTERMEDIATE-AND_ROOT.pem
...

( Note: as you can see, the certificates are defined in this example at the location "etc/postfix/private" - make sure, that the certicates/keys are really located there or choose a folder of your choice on your server and adjust the example to your unique definition! ;)
If you need further help, because of postfix issues/problems/failures, pls. consider to open a NEW thread and add there your mail - log and both postfix configuration files ).


For dovecot, pls. make sure to comment out the standard entries at dovecot.conf:
Code: 
...
#ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem
#ssl_key =  </etc/dovecot/private/ssl-cert-and-key.pem
...

and add for example:
Code: 
...
ssl_cert = </etc/dovecot/private/001-DOMAIN-CERTIFICATE.pem
ssl_key = </etc/dovecot/private/002-DOMAIN-CERTIFICATE-KEY.pem
ssl_ca = </etc/dovecot/private/003-INTERMEDIATE-AND_ROOT.pem
ssl = yes
...

( Note: as you can see, the certificates are defined in this example at the location "etc/dovecot/private" - make sure, that the certicates/keys are really located there or choose a folder of your choice on your server and adjust the example to your unique definition! ;) Don't forget, that dovecot NEEDS the setting "ssl = yes", if you use certificates
If you need further help, because of dovecot issues/problems/failures, pls. consider to open a NEW thread and add there your mail - log and the dovecot configuration file ).



Edit:
oooh... and btw: The times for "paid" certificates are over since "StartSSL" and "Let's encrypt". Pls. consider to inform yourself especially about "Let's encrypt", due to the fact, that there is a => FREE Plesk extension <= for Plesk. ;):);)
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

J
Issue DEBIAN 12 OPENSSL 3.0 DOVECOT does not allow login
Replies
1
Views
572
Yaroslav_T
Yaroslav_T
defcon8
Issue SMTP SSL Certificate Expired
Replies
2
Views
599
defcon8
defcon8
S
Resolved Dovecot Broken After Latest Update
Replies
4
Views
1K
scpcomp
S
R
Issue SSL/TLS cert for mail server not updating (Lets Encrypt)
Replies
2
Views
889
tessa67
T
futureweb
Question Issues with SSL Certificate Renewal for Mail Services in Plesk: Seeking Automated Solution via CLI or API
Replies
8
Views
1K
futureweb
futureweb
Back
Top