Cert NOT VALIDATED: self signed certificate

Sverre

New Member
Nov 17, 2016
3
0
1
43
Hello,
I am in the process of importing a public SSL certificate into the Mail Gateway, but Im running into some problems.

1. I made a wildcard cert request from a Microsoft IIS.
2. After sending over the request to my Public CA (Buypass) I got back a .pem file containing two certificates.
3. Then imported the .pem file to IIS and exported it as a PKCS#12 .pfx file
4. Used OpenSSL to convert the pfx file to "key.pem" and "cert.pem"
5. Imported the two files to ProxMox using cat key.pem cert.pem >/etc/apache2/apache.pem  /etc/init.d/apache2 restart

Now my admin-website is happy and reports that the certificate is valid.

The problem is when I try to use for example checkTLS.com to verify that TLS connection is ok I get this reply.
****************************************************
Checking post@mydomain.com

looking up MX hosts on domain "mydomain.com"

  1. mx.mydomain.com (preference:10)


Trying TLS on mx.mydomain.com[xxx] (10):

seconds test stage and result
[000.129] Connected to server
[000.492] <-- 220 mx.mydomain.com mx.mydomain.com
[000.493] We are allowed to connect
[000.493] --> EHLO checktls.com
[000.623] <-- 250-mx.mydomain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250 8BITMIME
[000.623] We can use this server
[000.623] TLS is an option on this server
[000.624] --> STARTTLS
[000.754] <-- 220 2.0.0 Ready to start TLS
[000.754] STARTTLS command works on this server
[001.056] SSLVersion in use: TLSv1
[001.056] Cipher in use: AES128-SHA
[001.057] Connection converted to SSL
[001.130]
Certificate 1 of 2 in chain:
subject= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
issuer= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com

[001.149]
Certificate 2 of 2 in chain:
subject= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
issuer= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com

[001.150] Cert NOT VALIDATED: self signed certificate
[001.150] So email is encrypted but the domain is not verified
[001.150] Cert Hostname DOES NOT VERIFY (mx.mydomain.com != *.mydomain.com)
[001.150] (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)

[001.150] So email is encrypted but the host is not verified
[001.151] ~~> EHLO checktls.com
[001.273] <~~ 250-mx.mydomain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250 8BITMIME
[001.273] TLS successfully started on this server
[001.273] ~~> MAIL FROM:<test@checktls.com>
[001.394] <~~ 250 2.1.0 Ok
[001.395] Sender is OK
[001.395] ~~> RCPT TO:<post@mydomain.com>
[001.634] <~~ 250 2.1.5 Ok
[001.635] Recipient OK, E-mail address proofed
[001.635] ~~> QUIT
[001.757] <~~ 221 2.0.0 Bye
*********************************************************************

Obviously the problem is still the certificate that is selfsigned, but there is also the question about the Cert Hostname DOES NOT VERIFY with the wildcard...

Anybody know how, where and what I need to do to get this to work?

BR
Sverre
 
first you talk about the certificate for apache2 webserver but then you test TLS (postfix).
 
Yes. I was explaining the SSL cert-request process I went through and that the certificate works for the admin-website after importing it using the cat key.pem cert.pem >/etc/apache2/apache.pem  /etc/init.d/apache2 restart command.

But I also need to use the certificate so the Mail Gateway will respond to TLS with my valid public certificate and not the selfsigned one that the TLS test in my last post says.

look at the checktls.com log when I run the test on mailbox@nrk.no. That mailgateway responds with a valid certificate from CyberTrust..
My cert is from Buypass, but how do I configure the Mail gateway to use it?
*******************************
TLS is an option on this server
[007.572] --> STARTTLS
[007.707] <-- 220 2.0.0 SMTP server ready
[007.707] STARTTLS command works on this server
[008.022] SSLVersion in use: TLSv1.2
[008.023] Cipher in use: ECDHE-RSA-AES128-SHA256
[008.023] Connection converted to SSL
[008.930]
Certificate 1 of 3 in chain:
subject= /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=mail.protection.outlook.com
issuer= /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
[008.956]
Certificate 2 of 3 in chain:
subject= /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[008.982]
Certificate 3 of 3 in chain:
subject= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[008.982] Cert VALIDATED: ok
[008.982] Cert Hostname VERIFIED (nrk-no.mail.protection.outlook.com = mail.protection.outlook.com)
 
your logs shows certificates from mail.protection.outlook.com, not from the Proxmox Mail Gateway.

the current version of the Proxmox Mail Gateway does not support custom TLS certificates, this is not yet implemented.
 
the log in my second post is just an example when running checkTLS against webmail@nrk.no...see public certficate.
subject= /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=mail.protection.outlook.com
issuer= /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2


The first post show my log and the certificate in which the proxmoxmailgateway responds with....selfsigned....OU=proxmox....
subject= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
issuer= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com


So to my understanding the ProxMox gateway does not support a public TLS certificate to be installed?
If so, is there any timeline on when or if this possibility will be availble?

BR.
 
No, there is no timeline for this. If you really need it this, take a look on the postfix config.

Start reading here.

> cat /etc/postfix/main.cf

Please note, if you want to change setting, you need to do this in the "template" files.

> ls -l /var/lib/proxmox/templates/

and then you have to sync this:

> proxconfig -s
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!