Mail.app with a self-signed certificate in postfix/dovecot
I thought I'd post this tidbit about getting Mail.app to work correctly with a self-signed certificate in a postfix/dovecot Linux installation; in my case under Debian Lenny. After setting this up, my Mail.app refused to connect to the outgoing server to deliver mail. In the postfix logs, I would see "SSL_accept error from ...: -1". The problem ended up being that postfix uses the default "snakeoil" self-signed certificate, while dovecot creates its own. If the IMAP and SMTP hosts are the same as they were in my case, when you accept the dovecot certificate upon the first IMAP connection, the SMTP connection with a different certificate will fail. This is because after the accept there is now a known certificate for that host, and the new certificate presented by postfix will not match. To fix this, either use different hosts for IMAP and SMTP, or use the same (perhaps the "snakeoil") certificate in both the postfix and dovecot configuration.
Exactly the same problem, except I'm using FF v6 for Windows, not FF v4 as for the lead post. This is for a self-cert which IS trusted, although the error message says it isn't.
Similar Messages
-
How to access Flash Apps over https with a self signed certificate?
I have a Flex app that needs to access data from a SOAP web service over https with a self signed certificate. The app needs to ignore the https warnings, just as a browser would warn & allow the user to proceed. Buying a valid signed certificate is not an option for us.
It works fine over http.
How can I achieve this?
I read that URLRequest has a property: authenticate, that I can set to false. However, this property is available only for Adobe AIR applications from what I can see. This doesn't seem available for Flex apps.
I have tried this in both Flex 3 & the latest Flash Builder 4. Have the same issue in both cases.
Help appreciated.
ThanksYou'd really need to ask in the Flex or Flash Builder forums as this is a front end code modification and Flash Player can't do any of that.
-
Problem with placing self-signed certificate in trust store on WLS 10.3
I have had some problems setting up two-way SSL on WLS 10.3.2.
1. I have not been able to use the java properties listed on
http://weblogic-wonders.com/weblogic/2010/11/09/enforce-weblogic-to-use-sun-ssl-implementation-rather-than-certicom/
to use the native Java SSL implementation rather than the certicom. Has anyone else had success using these?
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
-Dssl.SocketFactory.provider=com.sun.net.ssl.internal.SSLSocketFactoryImpl
-DUseSunHttpHandler=true
-Dweblogic.wsee.client.ssl.usejdk=true (for webservice clients)
2. When I use the ValidateCertChain to validate my keystore with the self-signed certificate I get the message
CA cert not marked with critical BasicConstraint indicating it is a CA
Certificate chain is invalid
which I read was a problem with certificates generated by keytool, yet I find I was not able to circumvent this
by setting the property weblogic.security.SSL.enforceConstraints to off in the WLS server environment.
Has anyone else noticed this?
3. The error I get is
####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server
<[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1297793541204> <BEA-000000> <Exception during hands
hake, stack trace follows
java.lang.NullPointerException
at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
at com.certicom.security.cert.internal.x509.X509V3CertImpl.checkValidity(Unknown Source)
at com.certicom.tls.interfaceimpl.CertificateSupport.findInTrusted_Validity(Unknown Source)
####<Feb 15, 2011 1:12:21 PM EST> <Debug> <SecuritySSL> <hostname> <server> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tunin
g)'> <<WLS Kernel>> <> <> <1297793541207> <BEA-000000> <NEW ALERT with Severity: FATAL, Type: 40
java.lang.Exception: New alert stack
at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
Are there other conditions besides the issue about the missing Basic Constraint field that can raise an
alert with type 40?
4. Steps I used to generate jks keystore for inclusion in trust keystore (actual values substituted):
** keytool -genkey -alias mykey -keystore mykeystore -validity 35600 \
-dname "cn=Common Name, ou=Common Name, o=Org, l=location, s=state, c=US" \
-storepass mypass -keypass mypass
** exported a DER format head certificate of mykey into mykey.cer.der
** keytool -import -trustcacerts -keystore DemoTrust.jks -alias mykey -file mykey.cer.der
Any comments appreciated and thanks for this forum.Faisal,
Certicom has an internal restriction that a Date must be notBefore 1970 and notAfter 2105 inclusive.The Java-generated key is valid until Wed Mar 14 11:03:59 EDT 2108. Your knowledge of this area is
quite impressive, thank you so much for this! -
Some clients migrated from 2007 is presented with the self signed certificate in 2013
I have migrated from 2007 to 2013. I did a couple of test migrations and on the ones with domain member computers Outlook is giving a certificate warning. The certificate they are presented with is the default self signed certificate on the 2013 server.
Even though I have added a trusted public certificate to Exchange and checked of to use With IIS.
I see that the default certificate is also checked of to use With IIS and it cant be removed in ECS. Shouldnt this be removed from IIS all together when adding a New certificate? And why does some Clients gets presented With the self signed and some With
the Public? For instance owa is presented With the Public cert. Also and Outlook I tested from outside the domain.
RegardsOnly the UCC certificate should be bound to IIS.
Are any clients using POP or IMAP, which also use SMTP? In this case clients can be presented with the "wrong" certificate as well.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Avoid an alert with using self-signed certificate
Hi
I want to publish a free product and I would like to use a free self-signed certificate
But during installing, the Adobe Exstension Manager shows an alert
Where is a way how to avoid this alert with using a self-signed certificate (I generated certificate with help of Adobe Exchange Packager) or I should only use a paid code-signed certificate?
Best regards
MaximAs I understund, "Show warning when instaling..." this option available only for end user in Exstantion manager, right? It means there is no way how to switch off this warning if I use ucf.jar tool for packing ZPX and an user uses default setting on this end. When, only one way is left - to buy a payed certificate, even for free product. Correct?
-
In Firefox 4.0 I have a server ... it contains a self signed certificate. Using IPv6 I can not add a "Security Exception" for this certificate.
1. I log onto the server (using IPv6). I get the "Untrusted connection page" saying "This connection is Untrusted"
2. I click on "Add Exception.." under the "I understand the Risks" section.
3. The "Add Security Exception" dialog comes up. soon after the dialog comes up I get an additional "Alert" dialog saying
An exception occured during connection to xxxxxxxxx.
Peer's certificate issuer has been marked as not trusted by the User.
(Error code sec_error_untrusted_issuer).
Please note that this works in Firefox 3.6.16 (in IPv4 and IPv6). It also works in Firefox 4.0 in IPv4 only IPv6 has an issue. What's wrong?Exactly the same problem, except I'm using FF v6 for Windows, not FF v4 as for the lead post. This is for a self-cert which IS trusted, although the error message says it isn't.
-
Does Firefox Home work with custom servers with a self signed certificate?
I've setup my own custom Firefox Sync server which has a self signed SSL certificate.
When I try to connect to it using Firefox Home I get the error:
Cannot Sync - Failed To Communicate With Server (1)
Firefox on my Mac and Windows laptop Sync fine with my custom firefox sync server providing I create an exception first. But no such luck with my iPhone.Access your server with ssl using https://<servername> . Firefox will warn you about untrusted certificate, and suggest you to add an exception. This exception will work for firefox sync too.
-
Server 2012 R2 - Remote Apps (RDWeb) and Self Signed Certificates!
Hi all! I have been playing around with VM's on Microsoft Azure just to try and have some Windows Services facing externally that I can play around with and test.
I have spun up a Windows Server 2012 R2 Server and installed Remote Desktop Services on it. I am looking to publish some remote apps and ideally I am looking to get it to work externally.
The Server has been given an IP address which is fine, i have gone to my domain and actually setup cloud.mydomain.co.uk and DNS for this is pointing to the IP address of the server. This is all working and functioning!
Basically if I go onto my server and connect to the RDweb section and login, i can see my remote apps, i can download the laucher and open them, all works great! :)
If however, I go to https://cloud.mydomain.co.uk/RDWeb it asks me to login, I can then see my remote apps but when I click on them I get a certificate stating that the computer cannot verify the identity of the RD Gateway.
What am i missing....what do I need to do to get this to work?
If there is some sort of tutorial on how to set this up, fully, from start to finish then that would be great. Otherwise any advice on this would be muchly appreciated!!
Thanks! :)
#2 sounds like we would need 2 Essentials servers and we will not have that.
We currently have Server 2008 R2 and have 2012 Standard licenses that are not yet used.
We have much more than 75 users total, but 75 is more than the number of users that will probably take advantage of using RD Gateway any time soon. It will probably take time to catch on.
If RD Gateway usage was to get super popular and more than 75 users were depending on access to it, then we could financially justify paying to buy all the CALs needed to run RD Gateway without Essentials. Right now, they are skeptical that it will
be worth spending much money on this and don't want to invest a lot of money up front.
My understanding is that if we have 75 or fewer users using RD Gateway then we need to by no CALs, just apply a Server Standard Edition License to the server, but if we had 76, we would need to turn off Essentials and buy 76 new CALs.
Or would we need to add 50 CALs to the 25 that automatically come with Essentials?
Also does "turning off" Essentials mean we would have to reinstall and redeploy the RDG or is it just a matter of enabling the RD license server and adding purchased CALs?
No, when you buy essentials you get the right to create 25 users that access the server, when you create the 26th user you will need to have 26 CAL and RDS CAL. -
With the new Firefox 10.0 cannot connect to my office https portal (with a self-signed certificate)
The connexion is not possible from any computer (tested on different Windows Platform) . Firefox try to connect without apparent error. Same problem with firefox 10.0.1 . No problem with Firefox 9 (or previous version).
But I've used the debugger Fiddler Tool, I get this warning:
Session #4: The remote server (###.###.###.###) presented a certificate that did not validate, due to RemoteCertificateNameMismatch, RemoteCertificateChainErrors.
SUBJECT: CN=F1000C000920300401, OU=F1000-C, O=NETASQ - Secure Internet Connectivity, L=Villeneuve d'Ascq, S=Nord, C=FR
ISSUER: OU=NETASQ Firewall Certification Authority, O=NETASQ - Secure Internet Connectivity, L=Villeneuve d'Ascq, S=Nord, C=FR
EXPIRES: 29/10/2013 12:41:15
If I acknowledge theses warnings, it seems the connexion is possible.
Any ideas?I'm searching the reason o f this problem. And I'v read that Firefox could have stop to support MD5-Based Certificate. And the algorithm is in this case.
May be is this the explanation? -
How to register iOS device when using self signed certificate with apple Server?
Hi,
I have installed the server.app by Apple and used a slef signed certificate for my server. Now I want to register my different devices (iMac, iPhone etc.). I could register the iMac without problesm (I just had to add my self signed certificate to the trusted certificates)
Sadly, with the iPhone it is not that easy. I can install the "trust profile", but still after that I can not register my device. It seems like it does not accept my self signed certificate for device registration. When adding a registration profile, I get the error "www._mydomain_.tld/devicemanagement/api/device/auto_join_ota_service" is not valid.
Nethertheless, I can install a profile with setting, e.g. my imap settings, via the profile management without problems.
Does anyone have an idea how to get around the problem with the self signed certificate?
Best regardsTry deleting the Server.app and download it again from the App Store, restart.
My Server is also using self signed certificates and is working with iOS device (Trust Profile needed first). -
N97 - Mail for Exchange self signed certificate
I would like to use my N97 for sychronizing my nokia with my office e-mails (MfE 2003). Sync keeps on failing. I assume that my n97 does not accept the self-signed certificate we are using (unlike the iPhone and any other HTC or Windows mobile based device). I tried to install the certificate on my nokia - however all versions offered for conversion by my internet explorer are not recognized as a certificate by the n97 (either unkown format or just displayed as text).
Can anyone help? (I am afraid I have to deal with our self-signed certificate - so there is no chance to approach the problem from that end)
Many thanks!I am also having the exact same problem. My company uses Exchange Server 2003, but I cannot get the Nokia N97 to sync using Mail for Exchange. I too am guessing that it might be related to the fact that we are using a self signed certificate.
When the sync failed, I tried to browse to our web exchange access on the N97 web browser, but that wouldn't work either (I have successfully been able to do this on a Sony Ericsson C905 and a BlackBerry Pearl, but the Nokie N97 says it is unable to perform the operation).
Can anyone confirm if the issue is in fact the self signed certificate, or make any other suggestions? I do not want to push my company down the path of getting the certificate signed if it's not going to solve the problem.
Thanks! -
Export extension to ZXP with self-signed certificate
Hello,
I am having this issue with Extension Manager not allowing the install of an extension exported from Extension Builder with a self-signed certificate. It always says that the signature is invalid, even with the sample projects exported packages. I am on Mac OS Snow Leopard. Anyone else experiencing this ?
Regards.Hello,
I am having this issue with Extension Manager not allowing the install of an extension exported from Extension Builder with a self-signed certificate. It always says that the signature is invalid, even with the sample projects exported packages. I am on Mac OS Snow Leopard. Anyone else experiencing this ?
Regards. -
Flyspray email notification using self signed certificates
Hi all, I've been having an issue with flyspray sending notification emails through a SMTP server (running on localhost) which uses submission (port 587) and starttls with a self signed certificate. Whenever a notification would be sent I receive an error like the following:
Notice: Undefined property: Swift_Transport_StreamBuffer::$_sequence in /usr/share/webapps/flyspray/includes/external/swift-mailer/classes/Swift/Transport/StreamBuffer.php on line 236 Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /usr/share/webapps/flyspray/includes/external/swift-mailer/classes/Swift/Transport/StreamBuffer.php on line 102 Completely unexpected exception: Unable to connect with TLS encryption
This should never happend, please inform Flyspray Developers
For the time being I just disabled notification all together. But this is a pretty big problem for me as I would like to avoid having to come to the web to view bugs I'm working on. Eventually I will create my own personal CA and this problem will become a non-issue, but until the time comes I'd love a work around (preferably not too dirty if at all possible).
Thanks for the help.H Jerome,
The certificate may have been generated incorrectly but I would suggest logging
a support case.
Kind Regards,
Richard Wallace
Senior Developer Relations Engineer
BEA Support.
"Jerome Cahuzac" <[email protected]> wrote:
>
>
>
I want to enable HTTPS protocol with WebLogic Server 5.1
I want to use a self signed certificate generated with the JDK keytool.
I've successfuly generated it and exported a dummy.cer file.
I've updated the weblogic.properties file with weblogic.security.certificate.server=dummy.cer
and I've got this exception
java.lang.NullPointerException:
at weblogic.security.RSAKey.toString(RSAKey.java:203)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled
Code)
at weblogic.security.X509.toString(X509.java:261)
at java.lang.String.valueOf(String.java, Compiled Code)
at java.lang.StringBuffer.append(StringBuffer.java, Compiled
Code)
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:206)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java,
Compiled
Code)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java, Compiled Code)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:827)
at java.lang.reflect.Method.invoke(Native Method)
at weblogic.Server.startServerDynamically(Server.java:99)
at weblogic.Server.main(Server.java:65)
at weblogic.Server.main(Server.java:55)
at weblogic.NTServiceHelper.run(NTServiceHelper.java:19)
at java.lang.Thread.run(Thread.java:479)
mar. dÚc. 18 12:20:03 GMT+01:00 2001:<E> <SSLListenThread> Security Configuration
Problem with SSL server certificate file (d:\weblogic\myserver\dummy.cer)
What's the right way to do this ? -
How-to install a self-signed certificate on Sony Ericcson W350
I am a developer and I am writing a j2me application for a Sony Ericcson W350 phone which needs to be able to use the phones SMS capabilities. I have a signed .jar and .jad file with a self-signed certificate. However, the phone is still treating my application as an untrusted third party app. I think this is occuring because my self-signed certificate isn't in the java certificate store on the phone. Is there a way to load my self-signed certificate into the java certificate store? I have tried copying it over to the phone via bluetooth and usb and installing it through the filesystem, however there isn't an option to install the certificate when browsing to it from the phone's filesystem. Any help would be much appricated.
Deactivating existing Java certificates prevented me from installing the .jad file. I accessed the phone's file system using both Sony PC Companion with USB and using the OS file browser over bluetooth.
-
Web Server 7 Admin Server and Self-Signed certificate
Is it possible to create and install a self-signed certificate for the administration server in Sun Web Server 7. The default installation comes with a self-signed certificate but we would like to install our own certificate and not the certificate issued by "admin-ca-cert"
Message was edited by:
aarAs far as I know its not a problem. You can install your own certificate. Make sure that the certificate nick name is changed accordingly in "server-cert-nickname" in server.xml section as shown below :
<http-listener>
<name>admin-ssl-port</name>
<port>2224</port>
<server-name>alamanac.india.sun.com</server-name>
<default-virtual-server-name>admin-server</default-virtual-server-name>
<ssl>
<server-cert-nickname>Admin-Server-Cert</server-cert-nickname>
</ssl>
</http-listener>
Maybe you are looking for
-
Can't SSH to inside interface on ASA
Hi there I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas? TIA Sent from Cisco Technical Support iPhone App
-
How to insert some records in one table and some records in another table
Interview question how insert records in two tables by using trigger CREATE or REPLACE TRIGGER Emp_Ins_Upd_Del_Trig BEFORE delete or insert or update on EMP FOR EACH ROW BEGIN if UPDATING then UPDATE emp2 SET empno = :new.empno, ename = :new.ename --
-
i just baught a new ipod touch and synched it to my old computer to get the music off it but when i synched it to my new computer it wants to delete all the music on it that wasnt baught through itunes....how do i keep my cd's and stuff that are on t
-
PDC cheques issue and Printing
Dear SAP Friends, We have a functionality of Post dated cheques, my client want to issue the PD cheques 600 at a time with different dates.Please let me know how we can do this in SAP system. 2nd Scenario : Printing of post dated cheque, I am issuing
-
hi, i am trying to make standby database in 11g(active dataguard) through rman. but archive log list shown like below primary database SQL> archive log list; Database log mode Archive Mode Automatic archival Enabled Archive destination /u01/app/oracl