• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Mail Problem with TLS / SSL and PHP 5.6

M

Michael Raeck

New Pleskian
Hey Guys,

I have a strange Problem,

We use a E-Commerce system called Shopware, we updated this system, but now it needs php 5.6, no problem i thougth, but i had a reallly strange problem.

with php 5.6 All encrypted client streams now enable peer verification by default.

see here:

http://php.net/manual/en/migration56.openssl.php

Thatswhy i had to configure the SSL Certificates for the domain, to be used by Dovecot.

I followed this:


test -e /etc/postfix/postfix_default.pem && cp /etc/postfix/postfix_default.pem /etc/postfix/postfix_default.pem.original
test -e /etc/dovecot/private/ssl-cert-and-key.pem && cp /etc/dovecot/private/ssl-cert-and-key.pem /etc/dovecot/private/ssl-cert-and-key.pem.original

cat /root/zertifikat.pem >/etc/postfix/postfix_default.pem

test -e /etc/dovecot/private/ssl-cert-and-key.pem && cat /root/zertifikat.pem >/etc/dovecot/private/ssl-cert-and-key.pem

test -e /etc/init.d/postfix && /etc/init.d/postfix restart
test -e /etc/init.d/dovecot && /etc/init.d/dovecot restart

test -e /sbin/service && service postfix restart
test -e /sbin/service && service dovecot restart



with this pem file:

-----BEGIN RSA PRIVATE KEY-----

MY PRIVATE SSL SERVER KEY

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

THATWE Intermediate

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

THATWE Intermediate

-----END CERTIFICATE-----

WHEN I NOW TRY THIS:

openssl s_client -showcerts -connect ****.de:443 -state -debug

IT works, BUT:

i get:

verify return code: 20 (unable to get local issuer certificate)

So he dosnt find the issuer certificate
After searching for hours, I found:

openssl s_client -connect *****.de:443 -CApath /etc/ssl/certs

does the trick. And it works with:

Verify return code: 0 (ok)


Now my question:

How can i tell Plesk or openSSL or PHP where he finds the root certificates?

I also tried to append the thatwe Server root at the end of the .pem file, but it also don't work.

This is my dovecot config:

#ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem

#ssl_key = </etc/dovecot/private/ssl-cert-and-key.pem


ssl_key = </etc/ssl-certs/****.de.pem

ssl_cert = </etc/ssl-certs/****.de.pem

ssl_ca = </etc/ssl-certs/****.de.ca.pem

I tried the commented and uncommented lines, both give the same results, its like dovecot also not knowing where to find the thatwe Root cerfiticate.

I know this question is really complex, i hope anyone can help me.

Thanks in advance.
 
Hi Michael Raeck,

first, pls. be noted that you should "normally" contact your certificate issuer with such questions, because even that this is a "plesk-related" forum, your certificate issuer should inform you about the correct usage of your paid certificate. ( "PAID" certificates INCLUDE support! ;) )
THAWTE for example provides as well a "Knowledge base" and a "FAQ" site ( i.e.: https://search.thawte.de/support/ssl-digital-certificates/index.html ).


Michael Raeck said:
with this pem file:

-----BEGIN RSA PRIVATE KEY-----

MY PRIVATE SSL SERVER KEY

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

THATWE Intermediate

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

THATWE Intermediate

-----END CERTIFICATE-----
Click to expand...

The "trick" is to simply go the very standard way:
Create TWO pem - files ( one certificate - one key ) and adjust the files as for example:

KEY:
Code: 
-----BEGIN RSA PRIVATE KEY-----

domain-certificate-key-from-your-issuer

-----END RSA PRIVATE KEY-----


CERTIFICATE:
Code: 
-----BEGIN CERTIFICATE-----

domain-certificate-from-your-issuer

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

issuer-intermediate-certificate
AND
issuer-root-certificate

-----END CERTIFICATE-----

Pls. have a CLOSER look and note TWO certificates ( intermediate AND root ) in the second certificate section, which is the location, where you normally only would use the root certificate.
For THAWTE certificates, you will have to download the corresponding intermediate ( Intermediate CA ) and root certificate ( Thawte Primary Root CA ) for your paid certificate at for example:


Another note here as well: Pls. download the CORRESPONDING certificates for your paid certificate and don't mix SHA-1 and SHA-2 certificates!!!


Another very important note:
IF you created your certificate with a password, then you should consider to remove that password, if you don't want to insert the password at each service restart from postfix/qmail, or courier-imap/dovecot.
A possible linux command for this goal would be:

openssl rsa -in domain-certificate-key -out domain-certificate-key-without-password.key




Additional information:

For postfix, pls. make sure to comment out the standard entries at "main.cf":
Code: 
...
#smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
#smtpd_tls_key_file = $smtpd_tls_cert_file
...

and add for example:
Code: 
...
smtpd_tls_cert_file = /etc/postfix/private/001-DOMAIN-CERTIFICATE.pem
smtpd_tls_key_file = /etc/postfix/private/002-DOMAIN-CERTIFICATE-KEY.pem
smtpd_tls_CAfile = /etc/postfix/private/003-INTERMEDIATE-AND_ROOT.pem
...

( Note: as you can see, the certificates are defined in this example at the location "etc/postfix/private" - make sure, that the certicates/keys are really located there or choose a folder of your choice on your server and adjust the example to your unique definition! ;)
If you need further help, because of postfix issues/problems/failures, pls. consider to open a NEW thread and add there your mail - log and both postfix configuration files ).


For dovecot, pls. make sure to comment out the standard entries at dovecot.conf:
Code: 
...
#ssl_cert = </etc/dovecot/private/ssl-cert-and-key.pem
#ssl_key =  </etc/dovecot/private/ssl-cert-and-key.pem
...

and add for example:
Code: 
...
ssl_cert = </etc/dovecot/private/001-DOMAIN-CERTIFICATE.pem
ssl_key = </etc/dovecot/private/002-DOMAIN-CERTIFICATE-KEY.pem
ssl_ca = </etc/dovecot/private/003-INTERMEDIATE-AND_ROOT.pem
ssl = yes
...

( Note: as you can see, the certificates are defined in this example at the location "etc/dovecot/private" - make sure, that the certicates/keys are really located there or choose a folder of your choice on your server and adjust the example to your unique definition! ;) Don't forget, that dovecot NEEDS the setting "ssl = yes", if you use certificates
If you need further help, because of dovecot issues/problems/failures, pls. consider to open a NEW thread and add there your mail - log and the dovecot configuration file ).



Edit:
oooh... and btw: The times for "paid" certificates are over since "StartSSL" and "Let's encrypt". Pls. consider to inform yourself especially about "Let's encrypt", due to the fact, that there is a => FREE Plesk extension <= for Plesk. ;):);)
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

M
Resolved Let's encrypt webmail keeps using old certificate
Replies
5
Views
1K
Peter Debik
P
L
Resolved IMAP not working with STARTTLS or SSL/TLS Mailserver Dovecot Problem
Replies
3
Views
2K
lberens
L
K
Issue Dovecot too many SNI ssl certificate config files Max open files
Replies
19
Views
2K
kevinjansen
K
I
Question Problems with Email certificate renewal - seems linked to changes in SNI support
Replies
0
Views
2K
iainh
I
P
Issue Error: "Unable to find row with id 0 in certificates table." when adding new self-signed certificate
Replies
0
Views
1K
pleshk
P
Back
Top