new ssl certificates from comodo and rapidssl dont work

new ssl certificates from comodo and rapidssl dont work

Postby MC9000 » Wed Jul 31, 2019 11:17 am

I have no idea what is going on, but, I can't get intermediate certificates to show up in the certificate chain any more (this is a new problem, and I can't figure out what to do).
Does anyone have a step by step method for getting certificates to work with AMS?

It used to be, you create a CSR and the Certificate Authority (CA) would send you a ROOT, INTERMEDIATE and a SERVER certificate (mail.mydomain.com).
You install these certificates into their respective places, then export your SERVER certificate as a PFX (to get your private key), convert to text (using some utility) format - .PEM, then split that into your private key and your cert so you can import into AMS. Always a lengthy process, but this no longer works with Comodo nor RapidSSL (tried both and spent hours on every conceivable combination of getting AMS certs to work - you can view the cert, the intermediate and root chain - it's friggin' perfect! YET my browser says it's missing the intermediate certificate!!!).

I can't figure what could possibly be going on other than, perhaps, something changed in Windows Server (using 2012R2) that is screwing things up.

Anyone? (18 hours of hair pulling - I've done this dozens of times in the past and have 25 years IT experience and can't for the life of me, nor Comodo nor RapidSSL figure this out)
MC9000
 
Posts: 12
Joined: Fri Dec 06, 2013 12:45 pm

Re: new ssl certificates from comodo and rapidssl dont work

Postby Code Crafters » Wed Jul 31, 2019 11:14 pm

Sometimes, Certificate Authorities will send you the main and intermediate certificates separately.

You can usually open these up in a text editor and copy / paste the intermediate one before the main certificate in the same file to create the complete certificate chain.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: new ssl certificates from comodo and rapidssl dont work

Postby MC9000 » Sun Aug 11, 2019 2:29 am

It's because my version of AMS (2.72) is using TLS 1.0 apparently (this is what I was told - I have no clue as to verify this).
Curiously though, ONLY firefox reports this!
The main and intermediate certificates have no effect on this issue AND you can see them in the certificate chain just fine. This is a Firefox issue only (they now report any site using TLS 1.0 & 1.1 as being "weak encryption". All the online testers say the intermediate certificate is missing, and all of them must use some buggy system (you can see the intermediate certificate!!!)
My question is, since AMS versions pre-3 don't support the latest SSL standards, if I float some money and buy the latest version, will it work with the latest standards?

You can check it here:
https://mail.infinibit.net:8100/_index
open in any browser other than Firefox (using version 68) and you can see the certificate chain fine. Makes no sense.
MC9000
 
Posts: 12
Joined: Fri Dec 06, 2013 12:45 pm

Re: new ssl certificates from comodo and rapidssl dont work

Postby Code Crafters » Tue Aug 13, 2019 6:23 pm

Yes, Ability Mail Server 4 supports up to TLS 1.2 and will support the latest TLS 1.3 in a future update.
Code Crafters
 
Posts: 943
Joined: Mon Sep 10, 2007 2:35 pm

Re: new ssl certificates from comodo and rapidssl dont work

Postby EKjellquist » Fri Sep 08, 2023 6:03 pm

Old topic, but just for informations' sake, I normally just use Let's Encrypt certificates with most of my sites, including AMS/AFS. Now that AMS 5.1 supports TLS 1.3 / OpenSSL 3.1.2, will see if I can get ecc certs to work with AMS/AFS (historically needing SHA-256 style RSA 2048/4096 certs). the nice thing about LE (and other CAs these days) is everything's generated PEM-style so you don't need multiple files anymore as the subject, intermediate and CA are all together.

I'll just grab the current version of CryptLE https://github.com/do-know/Crypt-LE/releases and run something like the following to generate a PEM .cer for AMS to use (anonymized):

Code: Select all
le64.exe -key account.key -csr mail.domain.com.csr -csr-key mail.domain.com.key -crt mail.domain.com.crt -domains "mail.domain.com" -generate-missing -handle-as dns -live


This assumes you can go into your registrar website and add a TXT record for the subdomain above (to verify you own the domain) and it'll pop out a RSA 4096 Sha256 cert. The following is what I use for everything else to generate a star cert with ECC curve:

Code: Select all
le64.exe -key account.key -csr star.domain.com.csr -csr-key star.domain.com.key -crt star.domain.com.crt -domains "*.domain.com" -generate-missing -handle-as dns -curve default -live


As of AMS 5.0.x and before these ECC certs wouldn't work, but I'll give it a whirl the next time I have to generate new ones...
EKjellquist
 
Posts: 96
Joined: Tue Sep 09, 2014 10:40 pm


Return to General

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron