Author Topic: Unable to verify certificate  (Read 5357 times)

Offline mkreyn

  • Newbie
  • *
  • Posts: 2
Unable to verify certificate
« on: July 27, 2021, 01:30:33 AM »
Hi to all of you!

I can't login into my webmail account because of an IMAP-error. Here's what logs say:

Quote
[27-Jul-2021 07:25:00 Europe/Berlin] PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in /var/www/sites/kreine.com/webmail/program/lib/Roundcube/rcube_imap_generic.php on line 1087
[27-Jul-2021 07:25:00 +0200]: <v62g26bi> IMAP Error: Login failed for mark@kreine.com against webmail.kreine.com from 5.146.250.226. Unable to negotiate TLS in /var/www/sites/kreine.com/webmail/program/lib/Roundcube/rcube_imap.php on lin

Here is an excerpt from my config.inc.php file:

Quote
$config['default_host'] = 'tls://%n';
$config['smtp_server'] = 'tls://%h';

$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
'verify_peer_name' => false
),
);
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false
),
);
$config['debug_level'] = 1;
$config['smtp_debug'] = true;

I would be happy just to turn off this checking, but I cannot. I have issued self-signed certificates for Postfix, which are in
/etc/postfix/ssl/mail.kreine.com.csr
/etc/postfix/ssl/mail.kreine.com.key

I need either to attach those to Roundcube or just to turn this check off, so that I finally can log into my account in Roundcube. I cannot accomplish this on my own, that's why I kindly ask you to help me.

That's what I have in my main.cf (Postfix) file: (just an excerpt)

Quote
# ============================================================
# TLS
# ============================================================
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
smtpd_tls_key_file = /etc/postfix/ssl/mail.kreine.com.key
smtpd_tls_cert_file = /etc/postfix/ssl/mail.kreine.com.csr
tls_random_source = dev:/dev/urandom

Thanks a lot!

Offline mkreyn

  • Newbie
  • *
  • Posts: 2
Re: Unable to verify certificate
« Reply #1 on: July 27, 2021, 01:41:35 AM »
I was able to turn off checking certificate by doing this

Quote
$config['imap_conn_options'] = array(
'ssl' => array('verify_peer' => false, 'verify_peer_name' => false),
'tls' => array('verify_peer' => false, 'verify_peer_name' => false));

$config['smtp_conn_options'] = array(
'ssl' => array('verify_peer' => false, 'verify_peer_name' => false),
'tls' => array('verify_peer' => false, 'verify_peer_name' => false));

When I try sending mails, I get this:

Quote
Jul 27 07:19:21 vm198666 postfix/smtpd[29759]: warning: cannot get RSA certificate from file "/etc/postfix/ssl/mail.kreine.com.csr": disabling TLS support
Jul 27 07:19:21 vm198666 postfix/smtpd[29759]: warning: TLS library problem: error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE:
Jul 27 07:19:21 vm198666 postfix/smtpd[29759]: warning: TLS library problem: error:140DC009:SSL routines:use_certificate_chain_file:PEM lib:../ssl/ssl_rsa.c:622:
Jul 27 07:24:32 vm198666 opendkim[25228]: C3AB4409A1: key retrieval failed (s=sign, d=sendpulse.me): 'sign._domainkey.sendpulse.me' query timed out
Jul 27 07:37:36 vm198666 postfix/submission/smtpd[29871]: warning: cannot get RSA certificate from file "/etc/postfix/ssl/mail.kreine.com.csr": disabling TLS support
Jul 27 07:37:36 vm198666 postfix/submission/smtpd[29871]: warning: TLS library problem: error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE:
Jul 27 07:37:36 vm198666 postfix/submission/smtpd[29871]: warning: TLS library problem: error:140DC009:SSL routines:use_certificate_chain_file:PEM lib:../ssl/ssl_rsa.c:622:

Yeah, I do understand, what it says, however I DO NOT understand, how to accomplish this)))