[horde] S/Mime not verified
Vilius Šumskas
vilius at lnk.lt
Thu May 31 14:49:06 UTC 2012
> >>>>>> To "verify" the certifcate you need a matching trusted root-CA
> >>>>>> and all sub-CAs involved to verify the whole chain. I guess you
> >>>>>> either don't have the root-CA on your system of Horde is not
> >>>>>> able to access the path with root-CAs.
> >>>>>
> >>>>> Thank you for the information.
> >>>>>
> >>>>> In my vHost I have:
> >>>>>
> >>>>> SSLEngine On
> >>>>> #SSLCertificateKeyFile /root/certscreate/psw2008.key
> >>>>> SSLCACertificateFile /etc/httpd/conf.d/certificates/cabundle.crt
> >>>>> SSLCertificateKeyFile /etc/httpd/conf.d/certificates/mauser.info.key
> >>>>> SSLCertificateFile /etc/httpd/conf.d//certificates/mauser.info.crt
> >>>>>
> >>>>>
> >>>>> Is this the right thing at the right place?
> >>>>> And if so, are there any rights I have to give this vHost or
> >>>>> something else?
> >>>>
> >>>>
> >>>> No, this is for the webserver's ssl support.
> >>>>
> >>>> Make sure you have configured OpenSSL support in horde's config.
> >>>> Specifically, the location of the root certificates bundle.
> >>>
> >>> If a directory is specified, then it must be a correctly formed
> >>> hashed directory as the openssl command would use.
> >>>
> >>> Since /etc/ssl/certs is a directory, what does it mean 'it must be
> >>> a correctly formed hashed directory' ?
> >>
> >> Just use full path of the CA bundle instead of directory.
> >
> > Using '/etc/pki/tls/certs/ca-bundle.crt' and restarting the
> > webserver and relogin did not help.
>
> Still got not all right ^^
>
> As I got a CACert S/MIME Mail right now which cannot be verified I
> downloaded the class3.crt from cacert.org and saved it in
> /etc/ssl/certs but it did not help.
>
> Isn't it so that I just have to save certs I need in /etc/ssl/certs to
> have Horde grab it?
>
> In Horde I switched back and set it to /etc/ssl/certs which works OK
> now for all other S/MIME mails.
>
> Any idea for that one? :)
Basically what you need to do is add all CAs of your certificates to the CA bundle. There are two ways of doing so:
1) http://www.hordgroup.com/tech_resources/2010/12/add-internal-root-ca-to-centos.html and then specify a full path to that *file*.
2) You can add CA certificates to the same folder and then hash the directory. And then specify a full path to that *directory*. You can find more about what 'hash the directory' means in the OpenSSL documentation.
--
Vilius
More information about the horde
mailing list