最近,我从Namecheap购买了PositiveSSL证书。我一直想将它们应用到我的网站上,以便与iRedMail和WordPress一起使用,但我没有运气这样做。
我收到一个包含四个文件的ZIP文件,我不明白如何处理它们。 这四个文件是:
我在Postfix main.cf中对SSL的当前设置是:
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
# smtpd_tls_CAfile =
我在Dovecot dovecot.conf中对SSL的当前设置是:
ssl = required
verbose_ssl = no
#ssl_ca =
ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem
ssl_key = </etc/pki/tls/private/iRedMail.key
我假设我打算更改这些条目以容纳新证书,但我根本不知道如何设置它。
我在生成证书时也有.key和.csr文件。
任何人都可以帮助我吗?我从来没有把这一切都搞定(我有点像Linux新手),所以我在这里完全失败了。此外,我正在运行Scientific Linux 6 64bit,如果这有任何区别。我也没有设置任何GUI(如cPanel)。
提前谢谢。
答案 0 :(得分:1)
I don't understand what to do with them. * AddTrustExternalCARoot.crt * COMODORSAAddTrustCA.crt * COMODORSADomainValidationSecureServerCA.crt * www_mydomain_com.crt
您需要为要服务的服务器构建证书链。您不能只发送终端实体(服务器证书)。以下是您如何使用提供给您的文件。
忽略这个。它是CA,客户必须已经拥有它并信任它:
按照这个特定的顺序将这三个连接成一个文件。称之为www_mydomain_com_chain.pem:
连接后,文件应如下所示:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
将带有连接证书的文件插入smtpd_tls_cert_file。
您可以使用以下方法测试装备。它应该以类似于Verify Result 0 (Ok)的消息结束。
openssl s_client -connect <server>:465 -CAfile AddTrustExternalCARoot.crt
注意:对于测试,选择通过SSL / TLS传输的邮件端口非常重要,例如465或995.它比-starttls选项更容易在{s_client内进行协调1}}。
相关:COMODORSADomainValidationSecureServerCA.crt实际上是一个中间证书。您可以在[Intermediate #2 (SHA-2)] Comodo RSA Domain Validation Secure Server CA找到它。
相关:COMODORSAAddTrustCA.crt实际上是一个中间证书。您可以在[Intermediate #1] COMODO AddTrust Server CA找到它。
相关:最近有人使用Comodo的装备有类似的问题。请参阅SSL site and browser warning。
答案 1 :(得分:1)
服务器再次使用上面提供的配置,域名为&#34; www.lildirt.com&#34;。我再次使用DigiCert的工具进行了检查,并且仍然说我使用的是旧的自签名证书(10年后到期),但我已经改变了上面的设置。
好的,您的邮件服务器是mail.lildirt.com:
$ dig lildirt.com mx
; <<>> DiG 9.8.5-P1 <<>> lildirt.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27746
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;lildirt.com. IN MX
;; ANSWER SECTION:
lildirt.com. 1799 IN MX 10 mail.lildirt.com.
;; Query time: 109 msec
;; SERVER: 172.16.1.10#53(172.16.1.10)
;; WHEN: Mon Aug 11 18:33:49 EDT 2014
;; MSG SIZE rcvd: 50
现在,使用OpenSSL进行检查。您没有运行安全SMTP:
$ openssl s_client -connect mail.lildirt.com:465 -CAfile AddTrustExternalCARoot.crt
connect: Connection refused
connect:errno=61
你没有在995(或587和993)上启用SSL / TLS:
$ openssl s_client -connect mail.lildirt.com:995 -CAfile AddTrustExternalCARoot.crt
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
...
这是一个问题:
$ telnet mail.lildirt.com 25
Trying 107.178.109.102...
telnet: connect to address 107.178.109.102: Operation timed out
telnet: Unable to connect to remote host
Postfix是否正在运行?
服务器再次使用上面提供的配置,域名为&#34; www.lildirt.com&#34;。我再次使用DigiCert的工具进行了检查,并且仍然说我使用的是旧的自签名证书
为什么要对www.lildirt.com:443运行工具?您提出的问题是Postfix和邮件服务器配置。 www.lildirt.com与您的问题无关。
如果有兴趣,您不需要基于网络的工具。 OpenSSL为您提供了解所需的一切:
$ openssl s_client -connect www.lildirt.com:443
CONNECTED(00000003)
depth=0 C = CN, ST = GuangDong, L = ShenZhen, O = mail.lildirt.com, OU = IT, CN = mail.lildirt.com, emailAddress = root@mail.lildirt.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = GuangDong, L = ShenZhen, O = mail.lildirt.com, OU = IT, CN = mail.lildirt.com, emailAddress = root@mail.lildirt.com
verify return:1
...
和
$ openssl s_client -connect www.lildirt.com:443 | openssl x509 -text -noout
...
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 17052364516268315109 (0xeca62b2e24a611e5)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=mail.lildirt.com, OU=IT, CN=mail.lildirt.com/emailAddress=root@mail.lildirt.com
Validity
Not Before: Jun 1 21:42:41 2014 GMT
Not After : May 29 21:42:41 2024 GMT
Subject: C=CN, ST=GuangDong, L=ShenZhen, O=mail.lildirt.com, OU=IT, CN=mail.lildirt.com/emailAddress=root@mail.lildirt.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9a:53:ff:41:29:4f:41:01:62:40:1b:8d:98:81:
50:21:7a:c9:d6:29:fb:1d:67:68:de:9f:22:b9:36:
23:56:c4:75:aa:44:75:29:2b:84:9f:0b:0a:e4:d3:
4d:a1:94:8c:04:a4:35:f4:fa:03:1a:46:28:8c:a4:
c5:63:76:72:92:f1:a5:f8:75:cc:61:64:5b:c4:12:
70:a6:d0:da:62:b9:f2:d0:b9:65:d8:06:d9:aa:40:
21:fb:2b:df:12:e2:d3:7c:a9:0e:4e:d3:91:21:2d:
ad:d1:9c:1a:bf:fd:38:05:ef:9c:6e:61:2f:f9:22:
75:94:b1:2a:29:8b:45:b0:aa:fe:31:f3:32:9d:ce:
cc:2d:5d:e9:c6:0a:06:37:fd:ce:5d:09:1c:bf:98:
b7:d5:cc:2a:2f:e3:ba:79:a4:54:4e:70:de:dd:49:
e6:71:27:eb:14:ed:80:e1:bc:ab:04:c9:73:90:8d:
91:a7:c5:73:16:22:3d:a6:3b:84:5b:0e:a7:ec:1e:
67:c4:59:d9:76:17:37:16:02:94:d7:eb:82:e6:ae:
93:04:92:d7:2b:b4:6f:8a:d4:2b:64:77:9f:89:30:
34:a2:99:4a:f9:ac:d0:ec:c0:e0:0d:34:dc:03:53:
1e:35:96:4d:15:aa:46:70:b5:11:aa:41:84:84:00:
bc:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1A:6C:14:8A:E0:6F:7D:D9:80:BF:9A:80:A4:16:11:D4:C7:83:07:FB
X509v3 Authority Key Identifier:
keyid:1A:6C:14:8A:E0:6F:7D:D9:80:BF:9A:80:A4:16:11:D4:C7:83:07:FB
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
4b:78:ac:8d:09:a0:c1:a0:66:66:c6:6c:4e:40:75:a8:00:08:
d6:be:31:f3:0f:48:7c:2d:ed:c6:2e:b9:39:06:38:66:a3:68:
23:0a:d6:11:cf:2c:9d:18:60:37:25:a2:24:0f:9c:4a:2a:09:
cc:e0:5b:36:3b:0d:47:01:47:6e:11:5a:7e:0d:9e:aa:7d:1b:
41:3e:37:2f:b5:72:45:62:8f:cf:6f:27:d6:6f:5b:1c:bc:c7:
9a:10:85:41:6c:c9:2f:7f:c6:b5:eb:cc:8c:ca:33:4a:83:ab:
7a:fd:6b:dc:23:44:79:79:3b:8e:dd:de:77:d6:8e:e7:06:28:
53:66:b9:96:ef:ad:04:7e:dd:23:99:6e:d8:9e:c5:3a:d9:ef:
25:be:ee:90:f4:47:16:17:16:fe:37:da:f4:a9:cd:8c:54:47:
ad:ed:ce:30:69:23:ee:58:23:bb:8f:db:0a:b7:4f:fb:00:95:
34:c2:25:3a:37:20:2b:7d:3a:19:1c:ad:75:29:4e:f5:cb:de:
8d:98:54:e7:f4:1c:24:a8:62:b2:0b:3e:71:2d:1a:b9:98:59:
ca:66:ac:68:a7:a0:0a:da:8f:35:8c:d1:ba:33:1f:a4:39:bc:
fd:58:a3:67:4d:eb:c2:00:9c:36:9a:a7:58:2c:2a:f1:38:c9:
13:74:e0:04
从上面,(1)公共名称中没有DNS名称(IETF和CA /浏览器论坛都弃用了它); (2)CA:FALSE( not TRUE,因为您没有签发证书); (3)将DNS名称添加到主题备用名称(CA /浏览器论坛要求)。
请参阅SSL Certificate Verification : javax.net.ssl.SSLHandshakeException,了解如何使用主题备用名称(SAN)中的正确属性和多个DNS名称发出自签名。
这是armor-cloud.com的一个例子。这就是它应该在端口993上的安全IMAP看起来像。假设您提供安全IMAP,您应该得到几乎相似的结果。区别在于域和CA.请注意,命令以Verify Return Code: 0 (ok)完成。
$ openssl s_client -connect mail.armor-cloud.com:993 -CAfile startcom-ca.pem
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/CN=mail.armor-cloud.com/emailAddress=webmaster@armor-cloud.com
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTDCCBTSgAwIBAgIDEMlWMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNTI5MjIzODQy
WhcNMTUwNTMwMDYzMDAwWjBWMQswCQYDVQQGEwJVUzEdMBsGA1UEAxMUbWFpbC5h
cm1vci1jbG91ZC5jb20xKDAmBgkqhkiG9w0BCQEWGXdlYm1hc3RlckBhcm1vci1j
bG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSL72lQJya
JQ6vvXQpWUzAjOxuI+5u2bmBmblc7AoFDwOoFozg1aEUz5B7q/9DcJZpX8eF76JG
3E/zoU8s7pq30U1LAbg3d7Rg5OTc8bJd21BdUz8Bt3OctFxTKhddYpSkM3LjGEuR
9tRzTCY/KDFglZMBDoz4iJdHFTL3WaCCuvulaanz/zMFx2Kp4p9Jep8/BR4OtfOx
8RexSVwmjXm+CmN6npBl2cl3Li4XUKqfr9uMD24cNgom/Plt3lq4FQpGsb8k29S0
6JMJYpKXFVM/XGKNI8g3aQdxi3daQiTgngtw8r7n8nHUTIOIl/kg3dfDwSYW6sE/
LyXfjYl+XY2/AgMBAAGjggLqMIIC5jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAT
BgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUqOXcMohVao8F4j9YVhdZj98N
WxkwHwYDVR0jBBgwFoAU60I00Jiwq5/0G2sI98xkLu8OLEUwMAYDVR0RBCkwJ4IU
bWFpbC5hcm1vci1jbG91ZC5jb22CD2FybW9yLWNsb3VkLmNvbTCCAVYGA1UdIASC
AU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcC
ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUH
AgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqB
vlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENs
YXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENB
IHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2Ug
aW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4w
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1j
cmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2Nz
cC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKG
Nmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVy
LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ
KoZIhvcNAQELBQADggEBAGN4+kuLiZdUVgNL2cjLLv5IeLhq5Ly35BKJ8SohkKdM
B2cWOC3r+iFohxRI+VvILOwh7GCuWsWWJLOd17klgWf3EF7EkYFyR4PB6m71BdRD
RTNDXw27Xw0lADMBP36f28lo8X26EJbpav7MVNK9gqbdHU/dEYfY34S9li/iXe2n
E7Resh/vPEmFuebSrpHrfUT5fWWsbZKWcEZOWJwd8nqztI/7TdI63H9O1BgrCxQ/
lL+t9HsRfoh7EjEmjYy7O4q1oFAa0RmYvsikhVJo++6gsyPKHcOKzb65RWb2RTiM
lzbvqlg3+XplAdVzzqC+M0C5JHeIXAZosWTmkgDGPHU=
-----END CERTIFICATE-----
subject=/C=US/CN=mail.armor-cloud.com/emailAddress=webmaster@armor-cloud.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3524 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: E6CD57CF3A522AC3093C3A734EE8C8369F8ECD5A0C1206FB77184D481910B9B8
Session-ID-ctx:
Master-Key: 5DC080AC9627E8294A2C675D5177BFDC25B897371FEA36944CB60181B4C39D15E284DCB04A174AECCB41175430FFBFF3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 29 80 70 c1 ea 19 57 e3-25 5b ee eb 12 39 f8 c3 ).p...W.%[...9..
0010 - 97 c6 38 82 cd 4e a2 5d-ba b9 06 5f 4f 62 25 34 ..8..N.]..._Ob%4
0020 - a1 6b 49 04 8a 8b 9f d2-e7 3c 0d 63 70 ae dc aa .kI......<.cp...
0030 - 9f d5 a1 d1 e4 26 01 bb-0e 1a f7 7f 35 0e af 6b .....&......5..k
0040 - 28 70 be e0 d3 4f 93 62-c8 2c 2c 43 2a 32 71 f3 (p...O.b.,,C*2q.
0050 - 4a 1b 5a 35 4c d5 e2 e6-ad c1 65 18 42 4b 67 89 J.Z5L.....e.BKg.
0060 - 8b 97 95 dd cf 0f 3e b1-32 6e 52 a0 77 9c 86 cc ......>.2nR.w...
0070 - 47 39 b4 66 60 33 74 12-b1 25 a5 4e 71 0d 60 e5 G9.f`3t..%.Nq.`.
0080 - 79 8f a3 9c 06 a1 5b cc-a3 f7 c4 bd f4 86 77 0c y.....[.......w.
0090 - 5f 24 57 38 06 fa a2 34-57 e7 64 56 ce 73 24 ad _$W8...4W.dV.s$.
Start Time: 1407799533
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
* OK IMAPrev1