How to create client certificate

Server
1

Hello,
I tried to set up web mail "roundcube". The mail server has SSL with Let's Encrypt.

I created client certificate file with the following command:

sudo openssl pkcs12 -export -in /etc/letsencrypt/live/mail.mydomain.com/cert.pem -inkey /etc/letsencrypt/live/mail.mydomain.com/privkey.pem -out client.p12 -name roundcube -CAfile /etc/letsencrypt/live/mail.mydomain.com/fullchain.pem

And I specified client.p12 on the roundcube configuration like this:

$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
'verify_depth' => 3,
'cafile' => '/path/client.p12',
),
);

$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => true,
'verify_depth' => 3,
'cafile' => '/path/client.p12',
),
);

But roundcube says "PHP Warning: no valid certs found cafile stream: `/path/client.p12'".

I think I need to specify client certificate file to web mail.
This "client.p12" is not valid client certificate?

How can I create client certificate file?

OS: Ubuntu 16.04.1 LTS xenial
Web server: Apache/2.4.18
roundcube: version 1.2.1
PHP: 7.0.8-0ubuntu0.16.04.2

Thank you.

2

What are you trying to achieve here?

You’re setting options so your RoundCube will verify the server’s certificate, correct?

// The example below enables server certificate validation

(From RoundCube’s defaults.inc.php)

What are you trying to achieve with putting your private key in a PKCS12 format? Where did you read about these procedures?

Because the only thing you’d need to do is point cafile to chain.pem and that’s it: that way it will verify the servers certificate with Let’s Encrypts Intermediate certificate. Or it should point to the DST Root CA X3 (see https://letsencrypt.org/certificates/ somewhere in the middle) and your IMAP and SMTP server should provide the intermediate certificate (it should do that anyway).

See also: http://php.net/manual/en/context.ssl.php

3

Thank you for the reply.

I pointed to /etc/letsencrypt/live/mail.mydomain.com/chain.pem but error log said like this:

SMTP:
[18-Sep-2016 12:50:45 UTC] PHP Warning: failed loading cafile stream: `/etc/letsencrypt/live/mail.mydomain.com/chain.pem' in /var/www/secure_html/for_users/webmail/vendor/pear-pear.php.net/Net_Socket/Net/Socket.php on line 158
[18-Sep-2016 12:50:45 UTC] PHP Warning: stream_socket_client(): Failed to enable crypto in /var/www/secure_html/for_users/webmail/vendor/pear-pear.php.net/Net_Socket/Net/Socket.php on line 158
[18-Sep-2016 12:50:45 UTC] PHP Warning: stream_socket_client(): unable to connect to ssl://localhost:465 (Unknown error) in /var/www/secure_html/for_users/webmail/vendor/pear-pear.php.net/Net_Socket/Net/Socket.php on line 158
[18-Sep-2016 12:50:45 UTC] ERROR: stream_socket_client(): unable to connect to ssl://localhost:465 (Unknown error) (0)
[18-Sep-2016 12:50:45 UTC] ERROR: Failed to connect socket: stream_socket_client(): unable to connect to ssl://localhost:465 (Unknown error) ()

IMAP:
[18-Sep-2016 12:51:25 UTC] PHP Warning: failed loading cafile stream: `/etc/letsencrypt/live/mail.mydomain.com/chain.pem' in /var/www/secure_html/for_users/webmail/program/lib/Roundcube/rcube_imap_generic.php on line 948
[18-Sep-2016 12:51:25 UTC] PHP Warning: stream_socket_client(): Failed to enable crypto in /var/www/secure_html/for_users/webmail/program/lib/Roundcube/rcube_imap_generic.php on line 948
[18-Sep-2016 12:51:25 UTC] PHP Warning: stream_socket_client(): unable to connect to ssl://localhost:993 (Unknown error) in /var/www/secure_html/for_users/webmail/program/lib/Roundcube/rcube_imap_generic.php on line 948

And I tried DST Root CA X3 but got the same results.

At first, I pointed cert.pem but I got above error, so I tried another one.

4

Hmm, reading the following: http://php.net/manual/en/migration56.openssl.php it seems PHP verifies the certificates by default… So do you really need to set the cafile et cetera? Doesn’t it just work out of the box?

5

When I did not set cafile, logs/errors said like this.

SMTP:
Sep 19 14:50:42 host postfix/smtps/smtpd[31858]: connect from localhost[::1]
Sep 19 14:50:42 host postfix/smtps/smtpd[31858]: SSL_accept error from localhost[::1]: 0
Sep 19 14:50:42 host postfix/smtps/smtpd[31858]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1472:SSL alert number 48:
Sep 19 14:50:42 host postfix/smtps/smtpd[31858]: lost connection after CONNECT from localhost[::1]
Sep 19 14:50:42 host postfix/smtps/smtpd[31858]: disconnect from localhost[::1] commands=0/0

IMAP:
Sep 19 14:51:24 host dovecot: imap-login: Error: SSL: Stacked error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
Sep 19 14:51:24 host dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed: Unknown error, session=</+Mnct08tagAAAAAAAAAAAAAAAAAAAAB>

So I guessed I have to point cafile...

6

your first log was on RoundCube side, while the second is Postfix.
my guess is your postfix certificate was not correctly set up.
for example not giving chain cert.

just my 2cent…
hope my guess correct :grin:

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.