How to renew self signed QMAIL toaster and QMAIL
rocks expired SSL pem certificate
One of the
QMAIL server installs, I have installed very long
time ago. I've been notified by clients, that the certificate of
the mail server has expired and therefore I had to quickly renew
the certificate.
This qmail installation, SSL certificates were located in
/var/qmail/control under the names
servercert.key and
cervercert.pem
Renewing the certificates with a new self signed ones is pretty
straight forward, to renew them I had to issue the following
commands:
1. Generate servercert encoded key with 1024 bit
encoding
debian:~# cd /var/qmail/control
debian:/var/qmail/control# openssl genrsa -des3 -out
servercert.key.enc 1024 Generating RSA private key, 1024 bit long
modulus
...........++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for servercert.key.enc:
Verifying - Enter pass phrase for
servercert.key.enc:
In the
Enter pass phrase for servercert.key.enc I typed
twice my encoded key password, any password is good, here though
using a stronger one is better.
2. Generate the servercert.key file
debian:/var/qmail/control# openssl rsa -in servercert.key.enc
-out servercert.key
Enter pass phrase for servercert.key.enc:
writing RSA key
3. Generate the certificate request
debian:/var/qmail/control# openssl req -new -key
servercert.key -out servercert.csr
openssl rsa -in servercert.key.enc -out servercert.key Enter pass
phrase for servercert.key.enc: writing RSA key
root@soccerfame:/var/qmail/control# openssl req -new -key
servercert.key -out servercert.csr You are about to be asked to
enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My
Company
Organizational Unit Name (eg, section) []:My Org
Common Name (eg, YOUR name) []:
Email Address []:admin@adminmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
In the above prompts its necessery to fill in the company name and
location, as each of the prompts clearly states.
4. Sign the just generated certificate request
debian:/var/qmail/control# openssl x509 -req -days 9999 -in
servercert.csr -signkey servercert.key -out
servercert.crt
Notice the option
-days 9999
this option instructs the newly generated self signed certificate
to be valid for
9999 days which is quite a long time, the
reason why the previous generated self signed certificate expired
was that it was built for only
365 days
Finally to load the new certificate, restart of qmail is
required:
5. Restart qmail server
debian:/var/qmail/control# qmailctl restart
Restarting qmail:
* Stopping qmail-smtpd.
* Sending qmail-send SIGTERM and restarting.
* Restarting qmail-smtpd.
Test the newly installed certificate
To test the newly installed SSL certificate use the following
commands:
debian:~# openssl s_client -crlf -connect localhost:465
-quiet
depth=0 /C=UK/ST=London/L=London/O=My Org/OU=My
Company/emailAddress=admin@adminmail.com
verify error:num=18:self signed certificate
verify return:1
...
debian:~# openssl s_client -starttls smtp -crlf -connect
localhost:25 -quiet
depth=0 /C=UK/ST=London/L=London/O=My Org/OU=My
Company/emailAddress=admin@adminmail.com
verify error:num=18:self signed certificate
verify return:1
250 AUTH LOGIN PLAIN CRAM-MD5
...
If an error is returned like
32943:error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:607: this means that SSL variable in the
qmail-smtpdssl/run script is set to 0.
To solve this error, change SSL=0 to SSL=1 in
/var/qmail/supervise/qmail-smtpdssl/run and do
qmailctl
restart
The error
verify return:1 displayed is perfectly fine and
it's more of a warning than an error as it just reports the
certificate is self signed.