Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I replaced an expired CA certificate (stunnel.pem) used by stunnel for a POP3 server (prepared by someone else), with a new, also self-issued certificate, and from that time on, MS Outlook clients connecting to the mailboxes start with an annoying error message saying that the validity of the certificate cannot be verified.
Is there a workaround to avoid the error message and still use a self-issued CA certificate with stunnel?
Sure, I am the illiterate, since I could not figure out what is that "wintendo" you mentioned in your previous message. Google search did not help either. So, could you give me some more details?
As concerns setting up our own CA:
I found a good document describing how to setup our own CA: http://sial.org/howto/openssl/ca/
I did all steps exactly as described in the 'CA setup' and 'Signing Certificates' section of the above mentioned document.
I imported the cacert.pem file into IE, so it is now among the root certificates known by IE. I also concatenated the host.key and cacert.pem files in stunnel.pem, and let stunnel use it.
But, when I connect to any mailbox, the following message pops up:
"A certificate chain processed correctly, but terminated in a root certificate that is not trusted by the trust provider"
"A certificate chain processed correctly, but terminated in a root certificate that is not trusted by the trust provider"
Seems the CA you imported is not recognized as a root CA like those from Thawthe, Verisign etc etc. Gotta check if it is in the Trusted root certificates authority tree. The "IE way" is described in the bottom half of this page. (Never thought I'd ever link to docs on the Wintendo site here). As administrator on W2K you could use the mmc and check for any cert snap-ins (msc's).
Thanks to your help, I could solve the problem.
There were two issues:
- the CAcert.pem had to be manually imported into the root certificates folder of IE
- the second issue was a bit amazing: I had to generate a new certificate for stunnel, with a CN (common name) parameter of mail.foo.bar and also had to re-configure the outlook clients to connect to the pop3 server by the same name (mail.foo.bar) and not by IP address.
Just one more question:
Does the fact that I imported the root CAcert into MSIE clients involve a security risk?
I mean, if the windows clients are compromised, the certificate may get into the hands of unauthorized persons. If so, can they generate their own certificates that seem valid?
(This would involve that I should withdraw the old CA certificate and issue a new one anytime a windows machine is compromised).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
