Adding IIS Generated SSL to HMS

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-13 12:35

I've looked at how to add ssl to hms. It seems like i can do it using openssl but i've already created a cert file making a reauest from iis and my certificate authority sent me the file. I don't have a private key file. Can i use it with hmailserver? I'm new to this ssl thin so if you want to help please write it as clear as you can.

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-14 17:21

You should have received a *.pfx file from your CA, don't you? Or you could export one with certmgr.msc, check "export privat key". Now you can convert this PKCS#12 file to a PEM with:

openssl pkcs12 -in yourfile.pfx -out yournewfile.pem -nodes

Then you have a PEM-File including 2 sections:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

and

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The tricky thing is to split this file into 2 separated files. You can do it with a good editor. I had no luck using windows notepad. Remove all extra text from these files outside the lines with the dashes.

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-14 18:02

I've extracted pfx file with certmgr.
I've created the pem file.
I was able to remove extra texts with ms word, there seems to be no problem.
And what?
Will i make two different files, what extension will i give? Or will i directly use this pem file as private key file?
Thank you for your help. I'll google for this last part, it seems like the big part of the problem is solved.

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-14 18:30

Removed the unnecessary lines, showed pem as private key file, it seems like working.

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-15 13:20

Extentions should be equal. but they are often named *.key and *.cer.

Did you split the file? Or you showed the PEM-file as key- AND as cert-file? This worked? Interesting. Could you describe more exact? If splitting was not necessary, it would be much more easier. Had you tried it without removing unnecessary text?

(my intention is a as short as possible "how to" for section "tips and tricks" of this forum)

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-15 15:42

After a restart to the server i began getting the same errors. Maybe it was because i didn't restarted hmailserver service after adding cert files. I don't know. As a result it didn't work with pem file.
I've splitted the file, gave the extensions you've told. It seems like it's working, for now :)

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-15 15:49

have you restarted the server yet? *lol* are you sure it works?

... I wondered that you had success with 1 file ... but it should work as described.

Can you confirm this?

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-15 15:54

There's one interesting thing.

Yesterday i showed cert file and pem file and created mail accounts. I added those accounts to thunderbird and settings came automatically(465-993 ports and ssl). If you know thunderbird there was green light showing that everything is ok...

Now after splitting pem file and showing new created key and cer files to hmailserver; imap comes with green light again but in smtp settings it says untrusted certificate with an orange light...

I'm working on it but things become annoying.

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-15 16:12

You can test it also with IE. Browsers are a little more verbose about certificates. Connect to 993 and 465. If you don't get a certificate error, everything ok (of course there is no further communication).

Are you sure you're using the same certificates on 993 and 465? hMailserver is able to use different certs on different ports...

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-15 16:22

I'm using the same domain name(mail.domain.com) for both smtp and imap, and i have 1 certificate for mail.domain.com.
Is it important to use different certificates for different protocols? I use the same certificate for both of them.
And how can i test it with ie?

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-15 16:36

https://mail.domain.com:465

No, different certs aren't necessary if both ports are connected via the same DNS-name. Are you sure you use in thunderbird mail.domain.com for both, smtp and imap? If you're smtp tries to connect directly to IP or smtp.domain.com, or whatever, your cert isn't valid.

Do you use the f***ing auto-configuration of Thunderbird 2.0? Drop it, configure it manually. (What green lights you're talking about?)

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-15 16:51

Internet Explorer cannot display the webpage...

I'm sure, i use only mail.domain.com, i didn't add any other dns records.

I use f***ing auto-configuration of Thunderbird 2.0 :) It didn't cause any problem before.

If you add a new e-mail account and wait for thunderbird to get settings, if it finds valid settings there's a green light near smtp/imap/pop settings. If there's problem with settings like no ssl or untrusted certificate, there's an orange light, if it can't find any settings there's no light...

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-15 16:58

robinson crusoe wrote:Internet Explorer cannot display the webpage...
of course not. It's only to check the certs on both ports. there is nothing to display, it's smtp and imap...

To be sure please configure SMTP and IMAP manually. It seems to have less to do with you're initial post. Feel free to open a new thread :)

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-15 17:10

Thank you for all your help.

As a result i added seperated files to hmailserver.

I created a new account.

Thunderbird auto-configured account settings, without any problem.

I sent mail, i received mail with this account. There seems to be no problem.

User avatar
pepsi
Senior user
Senior user
Posts: 419
Joined: 2008-08-21 20:58
Location: Netherlands

Re: Adding IIS Generated SSL to HMS

Post by pepsi » 2010-09-16 11:37

robinson crusoe wrote: I was able to remove extra texts with ms word, there seems to be no problem.
Never use MS Word for a plain text editor. it will mess with the line endings and the textformat.
use notepad or notepad++ or notepad2 (and yes there are more good programs)

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Adding IIS Generated SSL to HMS

Post by dzekas » 2010-09-16 11:55

pepsi wrote:use notepad or notepad++ or notepad2 (and yes there are more good programs)
windows notepad can't handle files with unix line ending correctly. If you want to avoid file corruption, you can't recommend it.

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-16 12:18

I've used notepad, msword, wordpad, there seems to be a problem.

I've got openoffice on my computer. When i try to open with it, it asks character clump, language, and end paragraph with options cr&lf, cr, lf. In fact word asked me something like this but i didn't mind, it seems like the most important part :S

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Adding IIS Generated SSL to HMS

Post by ^DooM^ » 2010-09-16 12:43

They are word editors, not code apps. use notepad++ from sourceforge.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-16 13:01

I've downloaded and used notepad++ with my old pem file.
Next i'll generate a new pem file and try to solve the problem.
In hmailserver documentation it says remove password from private key as the third step. I didn't do anything like that, is that a necessary procedure for me too? I'm asking because i didn't generate primary key file with openssl. The link is below;

http://www.hmailserver.com/documentatio ... eature_ssl

And can this splitting problem cause my other problem on this post?

http://www.hmailserver.com/forum/viewto ... =7&t=19138

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-16 16:14

No it shouldn't be necessary to remove password from keyfile. the "-nodes" option of openssl pkcs12 should prevent this. while converting your asked for the password from PFX-File, and not asked for a new one for the key file. if you forget the "-nodes" option, you're asked for a new password to encrypt the keyfile.

...if I understood openssl right. But I'm not all knowing.. :)

If I was wrong, yes, you had to remove the password from key file. There are many descriptions for this in internet.

And please let me know...

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-16 16:25

I asked comodo support and they answered me about the problem;

You have only installed the server certificate. Root and intermediate certificates are missing and so the certificate chain is incomplete. This is the reason for the error messages. You need to install the root and intermediate certificates in server to resolve this issue.

They sent me 3 files with crt extension. I opened certmgr and imported those certificates. And... Problem continues :)

I still get the "verify return code 21: unable to verify the first certificate" error.

I think i'm not installing my certificates correctly.

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-17 14:04

Here i made a story line for comodo support team, take a look at it, maybe you can see what i'm doing wrong...

http://www.robinsoncrusoe.me

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-19 11:52

looks not that bad, but you didn't show the certificate paths, the chain of trust, on server side. that's the 1. important thing. If the chain is ok, the connect to you iis from localhost to localhost doesn't show any error. But the IE picture you showed, has an error. If it was from local to local, the chain is broken. If the picture is from a client, any trusted CA cert is missing or the chain is otherwise broken. If you go on with this website, you'll be able to let you show the error. but the openssl connect does it also...

The easiest way will be, to analyse first the error in the chain of trust using iis and ie. If you know what the error was, and it is fixed, and IIS shows you his startpage on https:// also from client side without error, go on. Then it'll be no problem to convert the certificate and set up hmail. Concentrate in one thing.

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-19 21:36

I added the certpath pictures under the link. I realized that there's another root certificate under certmgr. It seems like accidently i added it twice. May it be the problem?

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-20 15:45

your connection attempt with IE was from the same server the pictures of the valid certification paths are from? Or from another machine?

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-21 14:24

Yes. And with ktunnel i was redirected to the main site.

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-21 15:12

ktunnel? Are you talking about a kind of DNS redirection? Sorry, I dont know ktunnel. But possibly this could be a source of error too...

what yes? connect local to local or from other machine?
If the connection attempt is made from another machine, please be aware and make sure that the chain of trust must be intact on client side. (Sorry, I don't think you're stupid, I simply don't know how much you know about certificates)

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-09-21 15:26

Yes, the same server, local to local.

In fact i don't know anything about certificates and i continue this topic to make a manual "ssl for dummies" :) My English is poor so sometimes it takes a bit longer for me to understand what you say and proceed.

prisma
Senior user
Senior user
Posts: 309
Joined: 2010-07-09 13:16

Re: Adding IIS Generated SSL to HMS

Post by prisma » 2010-09-21 16:39

Image

If you'd click "continue this website", you'd be able to look beside the addressbar what exact the problem is.

(One more Tip: You want to connect with Thunderbird to HMS? I'm not sure, but I think TB uses it's own Certificate Manager, doesn't he? This could mean, even if you figured out what the problem of IE is, Thunderbird could have a problem again)

robinson crusoe
Normal user
Normal user
Posts: 66
Joined: 2010-05-11 15:55

Re: Adding IIS Generated SSL to HMS

Post by robinson crusoe » 2010-10-22 15:15

After a few weeks, support team returned me and said if i want to use my ssl for mail, i have to negotiate it with namecheap. I think, the source of the problem is this, namecheap support told me that i can't use it for my mailserver.

Post Reply