# Dovecot certificate expired, new ones don't work [SOLVED]

## depontius

I run a one-user (me) dovecot IMAP server on my machine at work, to combine mail from several sources and make it available in the office or on the road. It's a self-supported solution, so I've also been using a self-signed certificate, since there's no way I'd be able to get a real certificate signed for my employer's domain.

Recently my certificate expired, so it's time to generate a new one. First off, I'm currently running dovecot-1.0_rc29, and I've found that there is no longer a simple mkcert.sh script in /usr/share/doc/dovecot... So I snagged the source to the old version, dovecot-1.0_rc15 and it still has the mkcert.sh script. After finding that I first have to erase the old cert/key, I build new ones.

Thunderbird doesn't like the new cert:

"Could not establish an encrypted connection because certificate presented by hostname.site.employer.com is invalid or corrupted. Error Code: -8182"

I found other instructions, HowTo's, etc, and built my own cert instead of using mkcert.sh. Same result.

Are there any tools or suggestions to help me debug this problem? The cert and key are simply a bunch of characters between "-----BEGIN..." and "-----END..." brackets - doesn't give me any information to go by. Nor have I seen anything in my logfiles that is of any help. Every debug procedure I've found for certificates seems to center around apache, reading apache logs, and may not tell spit about my particular situation.

Questions:

I'm sure I can't use my cacert.org account to sign a certificate, because I don't own the domain. I'm presuming that because my employer does have well-known certificates, that I can't get away with being my own CA, even on my one machine. Is this necessarily true?

Why did dovecot drop mkcert.sh in their latest release?

Is there some sort of "disassembler" to tell me what's in the cert, or some way to coerce thunderbird into giving me more information?

[SOLVED]

Posts later in thread explain what happened. Basically there was a change in where Dovecot looks for certs by default. In addition I appeared to have some stale data laying around. I was able to delete all Dovecot cert/key data, regenerate using the formerly-supplied mkcert.sh, point dovecot.conf appropriately, and all is well.

Unfortunately I still know nothing about debugging certificates - it's just trying blind.

----------

## elgato319

you can create a new self-signed certificate with /usr/sbin/gentestcrt.sh

just copy the generated filed to match you dovecot configuration

----------

## depontius

 *elgato319 wrote:*   

> you can create a new self-signed certificate with /usr/sbin/gentestcrt.sh
> 
> just copy the generated filed to match you dovecot configuration

 

I don't appear to have "/usr/sbin/gentestcrt.sh". Could you do a quick equery and tell me what package it's part of?

Thanks.

----------

## elgato319

 *Quote:*   

> 
> 
> net-www/apache-2.0.59-r2 (/usr/sbin/gentestcrt.sh)
> 
> 

 

and here is the code:

```

#!/bin/sh

##

##  gentestcrt -- Create self-signed test certificate

##  (C) 2001 Jean-Michel Dault <jmdault@mandrakesoft.com> and Mandrakesoft

##  Based on cca.sh script by Ralf S. Engelschall

##

#   external tools

openssl="/usr/bin/openssl"

#   some optional terminal sequences

case $TERM in

    xterm|xterm*|vt220|vt220*)

        T_MD=`echo dummy | awk '{ printf("%c%c%c%c", 27, 91, 49, 109); }'`

        T_ME=`echo dummy | awk '{ printf("%c%c%c", 27, 91, 109); }'`

        ;;

    vt100|vt100*)

        T_MD=`echo dummy | awk '{ printf("%c%c%c%c%c%c", 27, 91, 49, 109, 0, 0); }'`

        T_ME=`echo dummy | awk '{ printf("%c%c%c%c%c", 27, 91, 109, 0, 0); }'`

        ;;

    default)

        T_MD=''

        T_ME=''

        ;;

esac

#   find some random files

#   (do not use /dev/random here, because this device 

#   doesn't work as expected on all platforms)

randfiles=''

for file in /var/log/messages /var/adm/messages \

            /kernel /vmunix /vmlinuz \

            /etc/hosts /etc/resolv.conf; do

    if [ -f $file ]; then

        if [ ".$randfiles" = . ]; then

            randfiles="$file"

        else

            randfiles="${randfiles}:$file"

        fi

    fi

done

echo "${T_MD}maketestcrt -- Create self-signed test certificate${T_ME}"

echo "(C) 2001 Jean-Michel Dault <jmdault@mandrakesoft.com> and Mandrakesoft"

echo "Based on cca.sh script by Ralf S. Engelschall"

echo ""

grep -q -s DUMMY server.crt && mv server.crt server.crt.dummy

grep -q -s DUMMY server.key && mv server.key server.key.dummy

echo ""

echo ""

if [ ! -e ./server.crt -a ! -e ./server.key ];then 

   echo "Will create server.key and server.crt in `pwd`"

else

   echo "server.key and server.crt already exist, dying"

   exit

fi

echo ""

mkdir -p /tmp/tmpssl-$$

pushd /tmp/tmpssl-$$ > /dev/null

    echo "${T_MD}INITIALIZATION${T_ME}"

    echo ""

    echo "${T_MD}Generating custom Certificate Authority (CA)${T_ME}"

    echo "

----------

## depontius

 *elgato319 wrote:*   

> you can create a new self-signed certificate with /usr/sbin/gentestcrt.sh
> 
> just copy the generated filed to match you dovecot configuration

 

Thanks for the assistance and the copy of the script, but it gives the exact same results.

Does anyone know of any tools to debug a certificate? 

It just FAILS and gives no meaningful information.

----------

## b3cks

I had exactly the same problem after upgrading Dovecot from rc15 to rc29.

The generated certificate by emerge didn't work as well as some generated by hand or other scripts.

I don't know why but the gentestcrt.sh script generates a cert that works for me.

Thanks to elgato319 for posting it!

By the way there is already a hint in this bug report: https://bugs.gentoo.org/show_bug.cgi?id=163851

----------

## depontius

 *b3cks wrote:*   

> I had exactly the same problem after upgrading Dovecot from rc15 to rc29.
> 
> The generated certificate by emerge didn't work as well as some generated by hand or other scripts.
> 
> I don't know why but the gentestcrt.sh script generates a cert that works for me.
> ...

 

Still no-go for me, even after altering dovecot.conf to point to the gentestcrt.sh certificate. One question, though... gentestcrt.sh generated "server.crt" and "server.key" which I moved to "/etc/ssl/certs/dovecot.pem" and "/etc/ssl/private/dovecot.pem", respectively. Both the name and the file extensions changed, in both cases.

Is that a no-no?

Should I have done some other sort of openssl action to turn the .crt into a .pem?

Is this crap defined somewhere in some simple fashion?

So far it seems to me like you either become an expert, or follow instructions like an idiot, which is what I'm doing. There doesn't seem to be a graceful learning curve here, or a way to become knowledgeable enough, though not an expert.

----------

## HeissFuss

I did the exact same thing and it's working fine for me.  It would have been nice if they'd pointed out this config change though, as I spent a while debugging.

----------

## depontius

 *HeissFuss wrote:*   

> I did the exact same thing and it's working fine for me.  It would have been nice if they'd pointed out this config change though, as I spent a while debugging.

 

Thanks to all.

I basically ripped out all of the old certs and keys out of /etc/ssl, rebuilt a new self-signed cert using the mkcert.sh from the older dovecot, and this time it all worked. I guess there was still something stale laying around.

----------

## elgato319

Getting SSL Certificates to work was a real pain in the ass.

Until i did it like this: https://forums.gentoo.org/viewtopic-t-539757-highlight-.html

Now i'm using one wildcard certificate for my domain/subdomains and for all services that can make use of it.

Apache2/PureFTPd/IRC/Postfix/Dovecot ....

----------

## depontius

 *elgato319 wrote:*   

> Getting SSL Certificates to work was a real pain in the ass.
> 
> Until i did it like this: https://forums.gentoo.org/viewtopic-t-539757-highlight-.html
> 
> Now i'm using one wildcard certificate for my domain/subdomains and for all services that can make use of it.
> ...

 

For home use, I'm migrating to CACert, as mentioned in the thread. My problem here is that this is my employer's machine, and the server is my use only. Therefore I don't control the domain, and can't get a CACert certificate. Self-signed or my own one-use CA is my only option for this case.

----------

