The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ssl Pop3

Discussion in 'General Discussion' started by peruda, May 20, 2003.

  1. peruda

    peruda Registered

    Joined:
    May 16, 2003
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hello all,

    I have a very interesting mystery that needs solving. I have WHM configured with the hostname z.peruda.com. I do not have a "real" SSL certificate setup for peruda.com, however I do have a Thawte cert configured for the domain "secure.gati.info". When I go to connect to secure.gati.info via SSL POP3 (TCP/IP port 995), I get the [outlook express] error message: "Internet Security Warning. The server you are connected to is using a security certificate that could not be verified. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. Do you want to continue using this server? YES NO" The mail retrieval sucessfully completes upon clicking "Yes."

    While the SSL POP3 access is apparently working, of course my clients do not want to see any type of Internet Security Warning every time they check their mail! :eek: I think what must be happening is that it's using the "fake" certificate (a non-trusted cert that I generated myself) for www.peruda.com and not recognizing the valid Thawte cert for secure.gati.info. The Apache setup works great - go to https://secure.gati.info and you'll see a valid cert.

    I have tried playing with various *.pem files, stunnel config, and ipop3s config to no avail.

    Does anyone have any ideas on this? Thanks in advance!!!

    -John
    john@peruda.com

    cPanel.net Support Ticket Number:
     
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Bump.

    Anybody have any suggestions? I've tried reinstalling the cert, importing the cert manually, and nothing works. I hate to just have to tell my customers, "It's okay, just ignore the message."

    cPanel.net Support Ticket Number:
     
  3. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Okay, I got it, with the help of the good people at fressl.com. This is assuming you are using ChainedSSL from freessl.com.

    Here goes:

    When you are setting up the SSL support you will need to access the stunnel
    configuration file which will probably be available at
    /usr/local/cpanel/etc/stunnel/default/stunnel.conf .

    Open the conf and locate the following directives (they may be commented out
    by #; if they are, remove the comments):

    verify=2
    CAfile=/usr/local/etc/stunnel/certs.pem
    cert=/usr/local/cpanel/etc/cpanel.pem

    Change these to:
    CAfile=/usr/local/etc/stunnel/baltimore.pem
    cert=/usr/local/cpanel/etc/yourcert.pem

    create a new file consisting of your private key and your certificate file
    as below:

    -----BEGIN RSA PRIVATE KEY-----
    [encoded key]
    -----END RSA PRIVATE KEY-----
    [empty line]
    -----BEGIN CERTIFICATE-----
    [encoded certificate]
    -----END CERTIFICATE-----
    [empty line]

    The save the file as yourcert.pem in the /usr/local/cpanel/etc/ directory.

    Copy the baltimore.pem file to
    /usr/local/etc/stunnel/baltimore.pem

    Restart cpanel:
    service cpanel3 restart

    You're done! You should no longer get warnings about your pop over ssl certificate.
     
Loading...

Share This Page