[imp] What to do about the root of our certificate chain? (Solved, but software & docu could be amended)

Otto Stolz Otto.Stolz at uni-konstanz.de
Mon Jun 19 07:38:07 PDT 2006 

Hello,

on 2006-05-23, I had asked What to do about the root of our certificate
chain, as I had received the message:
 >   * Trying protocol imap/ssl, Port 993:
 >         ERROR - The server returned the following error message:
 > Certificate failure for popserver.uni-konstanz.de: self signed
 > certificate
 > in certificate chain: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
 > Classic - G01

Cliff Green has recommended:
> There should be a certs directory defined for OpenSSL, and that's
> where you need to put the PEM formatted version of your imap server's
> cert (or certs, if there's more than one cert or server).

At the 1st attempt, this has not worked, but now I have found a hint,
well hidden in a subordinate clause of the verify (OpenSSL) man page
which eventually lead me to the solution.

OpenSSL expects a soft link with a particular name pointing to the
root certificate. Hence, you can install a root certificate with the
following commands, under Solaris:
   su - root -c '/usr/bin/tcsh'
      cd /usr/local/ssl/certs
      set wz=dfn-classic.pem
      wget http://www.uni-konstanz.de/pki/Zertifikate/$wz
      ln -s $wz `openssl x509 -in $wz -hash | head -1`.0
      exit

The wget command gets dfn-classic.pem, the self-signed root certificate
of our chain. The openssl x509 command calculates a hash value from that
certificate, which is then used in the name OpenSSL will use to access
the certificate. It suffices to install the root certificate, as the IMAP
server will present its own certificate together with the whole chain back
to the root CA.

Thank you, Cliff, for setting me on the right track.


Still, the error message is misleading, thus in need of improvement:
It is not the server that was complaining, but rather the SSH *client*
(on the Imp/HTTP server).

Also, the documentation should mention this issue.
- Chapter "Prerequisites", section "OpenSSL Support" of
   imp-h3-4.1.1/docs/INSTALL would be a good place;
- if there is a Wiki entry on IMAP/SSL, I'd be willing to amend it
   (however, I know far too less about OpenSSL and certificates to write
   a whole article on this topic, and <http://wiki.horde.org/HordeSSLAuthHowTo>
   is devoted to another topic).

Should I formally file these suggestions under <http://bugs.horde.org/>,
or will this note suffice?

Best wishes,
   Otto Stolz

More information about the imp mailing list