Author Topic: SSL Login does not work: how to configure roundcube using a Let's Encyrpt cert?  (Read 9857 times)

Offline Oliver-

  • Newbie
  • *
  • Posts: 4
Hi,
i have to make clear right in the beginning that i am no mail server expert, so i do not understand every detail regarding my mail server configuration but i managed to install a working mail server on my own root server: based upon ubuntu 16.04 and postfix and courier.
I also managed to create/use a Let's Encrypt certificate for my apache webserver, which i also use for my mail server (in postfix and courier!)!
As i said the web server is working (i can send and receive emails) and currently i am accessing it only via Thunderbird. Again i am no expert but i know that the mail server is very restricting, which means SSL/TLS is forced. My working Thunderbird configuration for IMAP looks like this:
Code: [Select]
server name: myserver.com
port: 993
connection security setting: SSL/TLS
authentication method: password, normal

for SMTP it looks like this:
Code: [Select]
server: myserver.com
port: 465
authentication: password, normal
security: SSL/TLS

I just posted this, to give you some information what works with my server (and at the same time give you some insight about the server configuration).

My problem is that roundcube does not work. To be more specific: i cannot login. I am using the current version of Roundcube and this is my config.inc.php (the relevant part):

Code: [Select]
$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
$config['imap_auth_type'] = 'LOGIN';

$config['smtp_server'] = 'ssl://localhost';
$config['smtp_port'] = 465;
$config['smtp_auth_type'] = 'login';

The rest is the normal stuff created during the install process: db_dsnw, smtp_user, smtp_pass, support_url, des_key, language, spellcheck_engine.

I guess there is something missing probably related to my ssl certificate, i also tested some settings i found using google, but nothing worked. I also can post some logs if you say which one, but i was not able to read something relevant from any of it by myself.
The only interesting thing is, when thunderbird logs in the courier-imap-ssl server logs this:
Code: [Select]
Connection, ip=[::ffff:MYHOMEIP]
LOGIN, user=MYEMAIL, ip=[::ffff:MYHOMEIP], port=[48506], protocol=IMAP

when Roundcube tries to login it is just:
Code: [Select]
Connection, ip=[::1]
Roundcube itself just logs this:
Code: [Select]
[13-May-2017 22:38:45 +0000]: <pflc04po> IMAP Error: Login failed for MYEMAIL from MYHOMEIP. Could not connect to ssl://localhost:993:
Unknown reason in /var/www/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
You may need to set the following setting in your config:
Code: [Select]
// IMAP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation
//$config['imap_conn_options'] = array(
//  'ssl'         => array(
//     'verify_peer'  => true,
//     'verify_depth' => 3,
//     'cafile'       => '/etc/openssl/certs/ca.crt',
//   ),
// );
// Note: These can be also specified as an array of options indexed by hostname
$config['imap_conn_options'] = null;

Offline Oliver-

  • Newbie
  • *
  • Posts: 4
Unfortunately, that does not work. Neither setting imap_conn_options to null nor the commented variant (the cert path is also different in ubuntu: /etc/ssl/certs/ and there is no ca.crt but a ca-certificates.crt).

I guess i have to define my own certificate somewhere. The /etc/ssl/certs/ca-certificates.crt file is something different right?

Offline JohnDoh

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2,845
try setting the connection options with verify peer as false. or I think you can get the lets encrypt ca cert here https://letsencrypt.org/certificates/
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and moreā€¦

Offline Oliver-

  • Newbie
  • *
  • Posts: 4
Neither setting verify_peer to false nor changing the cafile works.

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Are you sure your mail server is listening on localhost?

Offline Oliver-

  • Newbie
  • *
  • Posts: 4
It should because i basically copied a configuration i used on an earlier version of ubuntu on the newer version i am currently using. On the older system the roundcube configuration was identical (imap_conn_options and smtp_conn_options were not necessary though), this includes the localhost setting.
I am not sure about my postfix and courier configuration, but the only planned difference is the transition from a self signed SSL certificate to the Let's encrypt cert. Also if i try to connect via Roundcube, there are some log entries, but unfortunately they are nit very helpful.

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Can you enable imap_debug and post the log?