2

最近,我从 Namecheap 购买了 PositiveSSL 证书。我一直想将它们应用到我的网站以与 iRedMail 和 WordPress 一起使用,但我没有运气这样做。

我收到了一个包含四个文件的 ZIP 文件,但我不明白如何处理它们。这四个文件是:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • www_mydomain_com.crt

我在 SSL 的 Postfix main.cf 中的当前设置是:

smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
# smtpd_tls_CAfile =

我当前在 Dovecot dovecot.conf 中的 SSL 设置是:

ssl = required
verbose_ssl = no
#ssl_ca = 
ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem
ssl_key = </etc/pki/tls/private/iRedMail.key

我假设我打算更改这些条目以适应新证书,但我根本不知道如何设置它。

我也有生成证书时的 .key 和 .csr 文件。

有谁可以帮我离开这里吗?我从来不需要设置所有这些(而且我有点像 Linux 新手),所以我在这里完全不知所措。另外,我正在运行 Scientific Linux 6 64 位,如果这有什么不同的话。我也没有设置任何 GUI(如 cPanel)。

先感谢您。

4

2 回答 2

2

服务器再次使用上面提供的配置,域是“www.lildirt.com”。再次,我使用 DigiCert 的工具进行了检查,它仍然说我使用的是旧的自签名证书(10 年后到期),但我已经更改了上面的设置。

好的,您的邮件服务器是mail.lildirt.com

$ dig lildirt.com mx

; <<>> DiG 9.8.5-P1 <<>> lildirt.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27746
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;lildirt.com.           IN  MX

;; ANSWER SECTION:
lildirt.com.        1799    IN  MX  10 mail.lildirt.com.

;; Query time: 109 msec
;; SERVER: 172.16.1.10#53(172.16.1.10)
;; WHEN: Mon Aug 11 18:33:49 EDT 2014
;; MSG SIZE  rcvd: 50

现在,使用 OpenSSL 检查它。您没有运行安全 SMTP:

$ openssl s_client -connect mail.lildirt.com:465 -CAfile AddTrustExternalCARoot.crt
connect: Connection refused
connect:errno=61

而且您没有在 995(或 587 和 993 上)启用 SSL/TLS:

$ openssl s_client -connect mail.lildirt.com:995 -CAfile AddTrustExternalCARoot.crt
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
...

这是一个问题:

$ telnet mail.lildirt.com 25
Trying 107.178.109.102...
telnet: connect to address 107.178.109.102: Operation timed out
telnet: Unable to connect to remote host

Postfix 是否还在运行?

服务器再次使用上面提供的配置,域是“www.lildirt.com”。再次,我使用 DigiCert 的工具进行了检查,它仍然说我使用的是旧的自签名证书

您为什么要针对 www.lildirt.com:443 运行工具?您提出的问题是针对 Postfix 和邮件服务器配置的。www.lildirt.com 与您的问题无关。

如果有兴趣,您不需要基于 Web 的工具。OpenSSL 为您提供您需要知道的一切:

$ openssl s_client -connect www.lildirt.com:443
CONNECTED(00000003)
depth=0 C = CN, ST = GuangDong, L = ShenZhen, O = mail.lildirt.com, OU = IT, CN = mail.lildirt.com, emailAddress = root@mail.lildirt.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = GuangDong, L = ShenZhen, O = mail.lildirt.com, OU = IT, CN = mail.lildirt.com, emailAddress = root@mail.lildirt.com
verify return:1
...

和:

$ openssl s_client -connect www.lildirt.com:443 | openssl x509 -text -noout
...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17052364516268315109 (0xeca62b2e24a611e5)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=mail.lildirt.com, OU=IT, CN=mail.lildirt.com/emailAddress=root@mail.lildirt.com
        Validity
            Not Before: Jun  1 21:42:41 2014 GMT
            Not After : May 29 21:42:41 2024 GMT
        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=mail.lildirt.com, OU=IT, CN=mail.lildirt.com/emailAddress=root@mail.lildirt.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9a:53:ff:41:29:4f:41:01:62:40:1b:8d:98:81:
                    50:21:7a:c9:d6:29:fb:1d:67:68:de:9f:22:b9:36:
                    23:56:c4:75:aa:44:75:29:2b:84:9f:0b:0a:e4:d3:
                    4d:a1:94:8c:04:a4:35:f4:fa:03:1a:46:28:8c:a4:
                    c5:63:76:72:92:f1:a5:f8:75:cc:61:64:5b:c4:12:
                    70:a6:d0:da:62:b9:f2:d0:b9:65:d8:06:d9:aa:40:
                    21:fb:2b:df:12:e2:d3:7c:a9:0e:4e:d3:91:21:2d:
                    ad:d1:9c:1a:bf:fd:38:05:ef:9c:6e:61:2f:f9:22:
                    75:94:b1:2a:29:8b:45:b0:aa:fe:31:f3:32:9d:ce:
                    cc:2d:5d:e9:c6:0a:06:37:fd:ce:5d:09:1c:bf:98:
                    b7:d5:cc:2a:2f:e3:ba:79:a4:54:4e:70:de:dd:49:
                    e6:71:27:eb:14:ed:80:e1:bc:ab:04:c9:73:90:8d:
                    91:a7:c5:73:16:22:3d:a6:3b:84:5b:0e:a7:ec:1e:
                    67:c4:59:d9:76:17:37:16:02:94:d7:eb:82:e6:ae:
                    93:04:92:d7:2b:b4:6f:8a:d4:2b:64:77:9f:89:30:
                    34:a2:99:4a:f9:ac:d0:ec:c0:e0:0d:34:dc:03:53:
                    1e:35:96:4d:15:aa:46:70:b5:11:aa:41:84:84:00:
                    bc:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                1A:6C:14:8A:E0:6F:7D:D9:80:BF:9A:80:A4:16:11:D4:C7:83:07:FB
            X509v3 Authority Key Identifier: 
                keyid:1A:6C:14:8A:E0:6F:7D:D9:80:BF:9A:80:A4:16:11:D4:C7:83:07:FB

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         4b:78:ac:8d:09:a0:c1:a0:66:66:c6:6c:4e:40:75:a8:00:08:
         d6:be:31:f3:0f:48:7c:2d:ed:c6:2e:b9:39:06:38:66:a3:68:
         23:0a:d6:11:cf:2c:9d:18:60:37:25:a2:24:0f:9c:4a:2a:09:
         cc:e0:5b:36:3b:0d:47:01:47:6e:11:5a:7e:0d:9e:aa:7d:1b:
         41:3e:37:2f:b5:72:45:62:8f:cf:6f:27:d6:6f:5b:1c:bc:c7:
         9a:10:85:41:6c:c9:2f:7f:c6:b5:eb:cc:8c:ca:33:4a:83:ab:
         7a:fd:6b:dc:23:44:79:79:3b:8e:dd:de:77:d6:8e:e7:06:28:
         53:66:b9:96:ef:ad:04:7e:dd:23:99:6e:d8:9e:c5:3a:d9:ef:
         25:be:ee:90:f4:47:16:17:16:fe:37:da:f4:a9:cd:8c:54:47:
         ad:ed:ce:30:69:23:ee:58:23:bb:8f:db:0a:b7:4f:fb:00:95:
         34:c2:25:3a:37:20:2b:7d:3a:19:1c:ad:75:29:4e:f5:cb:de:
         8d:98:54:e7:f4:1c:24:a8:62:b2:0b:3e:71:2d:1a:b9:98:59:
         ca:66:ac:68:a7:a0:0a:da:8f:35:8c:d1:ba:33:1f:a4:39:bc:
         fd:58:a3:67:4d:eb:c2:00:9c:36:9a:a7:58:2c:2a:f1:38:c9:
         13:74:e0:04

从上面看,(1) Common Name 中没有 DNS 名称(IETF 和 CA/浏览器论坛都弃用了它);(2) CA:FALSE(不是TRUE,因为您没有颁发证书);(3) 将 DNS 名称添加到主题备用名称(CA/浏览器论坛要求)。

请参阅SSL 证书验证:javax.net.ssl.SSLHandshakeException,了解如何使用主题备用名称 (SAN) 中的正确属性和多个 DNS 名称发出自签名。

这是 armour-cloud.com 的示例。这就是端口 993 上的 Secure IMAP 的外观。假设您提供 Secure IMAP,您应该得到几乎相似的结果。区别在于域和 CA。注意命令以Verify Return Code: 0 (ok).

$ openssl s_client -connect mail.armor-cloud.com:993 -CAfile startcom-ca.pem 
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/CN=mail.armor-cloud.com/emailAddress=webmaster@armor-cloud.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTDCCBTSgAwIBAgIDEMlWMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNTI5MjIzODQy
WhcNMTUwNTMwMDYzMDAwWjBWMQswCQYDVQQGEwJVUzEdMBsGA1UEAxMUbWFpbC5h
cm1vci1jbG91ZC5jb20xKDAmBgkqhkiG9w0BCQEWGXdlYm1hc3RlckBhcm1vci1j
bG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSL72lQJya
JQ6vvXQpWUzAjOxuI+5u2bmBmblc7AoFDwOoFozg1aEUz5B7q/9DcJZpX8eF76JG
3E/zoU8s7pq30U1LAbg3d7Rg5OTc8bJd21BdUz8Bt3OctFxTKhddYpSkM3LjGEuR
9tRzTCY/KDFglZMBDoz4iJdHFTL3WaCCuvulaanz/zMFx2Kp4p9Jep8/BR4OtfOx
8RexSVwmjXm+CmN6npBl2cl3Li4XUKqfr9uMD24cNgom/Plt3lq4FQpGsb8k29S0
6JMJYpKXFVM/XGKNI8g3aQdxi3daQiTgngtw8r7n8nHUTIOIl/kg3dfDwSYW6sE/
LyXfjYl+XY2/AgMBAAGjggLqMIIC5jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAT
BgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUqOXcMohVao8F4j9YVhdZj98N
WxkwHwYDVR0jBBgwFoAU60I00Jiwq5/0G2sI98xkLu8OLEUwMAYDVR0RBCkwJ4IU
bWFpbC5hcm1vci1jbG91ZC5jb22CD2FybW9yLWNsb3VkLmNvbTCCAVYGA1UdIASC
AU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcC
ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUH
AgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqB
vlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENs
YXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENB
IHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2Ug
aW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4w
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1j
cmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2Nz
cC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKG
Nmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVy
LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ
KoZIhvcNAQELBQADggEBAGN4+kuLiZdUVgNL2cjLLv5IeLhq5Ly35BKJ8SohkKdM
B2cWOC3r+iFohxRI+VvILOwh7GCuWsWWJLOd17klgWf3EF7EkYFyR4PB6m71BdRD
RTNDXw27Xw0lADMBP36f28lo8X26EJbpav7MVNK9gqbdHU/dEYfY34S9li/iXe2n
E7Resh/vPEmFuebSrpHrfUT5fWWsbZKWcEZOWJwd8nqztI/7TdI63H9O1BgrCxQ/
lL+t9HsRfoh7EjEmjYy7O4q1oFAa0RmYvsikhVJo++6gsyPKHcOKzb65RWb2RTiM
lzbvqlg3+XplAdVzzqC+M0C5JHeIXAZosWTmkgDGPHU=
-----END CERTIFICATE-----
subject=/C=US/CN=mail.armor-cloud.com/emailAddress=webmaster@armor-cloud.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3524 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: E6CD57CF3A522AC3093C3A734EE8C8369F8ECD5A0C1206FB77184D481910B9B8
    Session-ID-ctx: 
    Master-Key: 5DC080AC9627E8294A2C675D5177BFDC25B897371FEA36944CB60181B4C39D15E284DCB04A174AECCB41175430FFBFF3
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 29 80 70 c1 ea 19 57 e3-25 5b ee eb 12 39 f8 c3   ).p...W.%[...9..
    0010 - 97 c6 38 82 cd 4e a2 5d-ba b9 06 5f 4f 62 25 34   ..8..N.]..._Ob%4
    0020 - a1 6b 49 04 8a 8b 9f d2-e7 3c 0d 63 70 ae dc aa   .kI......<.cp...
    0030 - 9f d5 a1 d1 e4 26 01 bb-0e 1a f7 7f 35 0e af 6b   .....&......5..k
    0040 - 28 70 be e0 d3 4f 93 62-c8 2c 2c 43 2a 32 71 f3   (p...O.b.,,C*2q.
    0050 - 4a 1b 5a 35 4c d5 e2 e6-ad c1 65 18 42 4b 67 89   J.Z5L.....e.BKg.
    0060 - 8b 97 95 dd cf 0f 3e b1-32 6e 52 a0 77 9c 86 cc   ......>.2nR.w...
    0070 - 47 39 b4 66 60 33 74 12-b1 25 a5 4e 71 0d 60 e5   G9.f`3t..%.Nq.`.
    0080 - 79 8f a3 9c 06 a1 5b cc-a3 f7 c4 bd f4 86 77 0c   y.....[.......w.
    0090 - 5f 24 57 38 06 fa a2 34-57 e7 64 56 ce 73 24 ad   _$W8...4W.dV.s$.

    Start Time: 1407799533
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK IMAPrev1
于 2014-08-11T22:48:28.093 回答
2 
I don't understand what to do with them. 
* AddTrustExternalCARoot.crt
* COMODORSAAddTrustCA.crt
* COMODORSADomainValidationSecureServerCA.crt
* www_mydomain_com.crt

您需要为服务器建立一个证书链来服务。您不能只发送最终实体(服务器证书)。以下是使用提供给您的文件的方法。

忽略这个。它是 CA,客户端必须已经拥有它并信任它:

  • AddTrustExternalCARoot.crt

按照这个特定的顺序将这三个连接到一个文件中。称它为www_mydomain_com_chain.pem

  • www_mydomain_com.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • COMODORSAAddTrustCA.crt

连接后,文件应如下所示:

-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----

将带有级联证书的文件插入smtpd_tls_cert_file.

您可以使用以下内容测试您的装备。它应该以类似于 的消息结束Verify Result 0 (Ok)

openssl s_client -connect <server>:465 -CAfile AddTrustExternalCARoot.crt

注意:对于测试,选择通过 SSL/TLS 传输的邮件端口很重要,例如 465 或 995。这比尝试-starttlss_client.

相关:COMODORSADomainValidationSecureServerCA.crt确实是中级证书。您可以在[Intermediate #2 (SHA-2)] Comodo RSA Domain Validation Secure Server CA找到它。

相关:COMODORSAAddTrustCA.crt确实是中级证书。您可以在[Intermediate #1] COMODO AddTrust Server CA找到它。

相关:最近有人在使用 Comodo 的装备时遇到了类似的问题。请参阅SSL 站点和浏览器警告

于 2014-08-11T18:39:47.713 回答