check-email-loop icon indicating copy to clipboard operation
check-email-loop copied to clipboard
verified publisher icon setec

Certificate verify failed

Open Marco-Total opened this issue 4 years ago • 3 comments

Hello,

when I try to reach the mail server from the LAN, I get a certificate error message:

I can understand the error, is there any way to trust "insecure certificates" anyway?

./check_email_loop -poph 172.xx.xx.xx -popuser=monitor -passwd=xxx -popport=993 -usessl -useimap -smtphost=172.xx.xx.xx -smtpuser=monitor -smtppasswd=1qay-2wsx -smtpport=587 [email protected] [email protected] -usesmtptls -debug
Opened /usr/lib64/nagios/plugins/check_email_loop_e470b3b374f2dc8b185445a410ed9a1b.stat for writing...
----------------------------------------------------------------------
-------------------- Checking IMAP4 Mails ----------------------------
----------------------------------------------------------------------
IMAP RECEIVE CRITICAL - Could not connect to 172.xx.xxxx port 993: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at ./check_email_loop line 694.

Thx for yout help!

Rudi

Marco-Total avatar Mar 10 '21 12:03 Marco-Total

Hello @RUDI-TERROR ,

inspecting the code, yet no "ignore certificate validation" option is implemented. It seems that the tools uses different ways for TLS depending on the Service (POP, IMAP, SMTP) and each would require this change. I think generally this should be no big deal.

But given, that your email users need to connect & talk to you same server in a same, secure way as the monitoring tools: Wouldn't it be better to at least use self-signed certificates? You can then add them to the respective trust stores for your users as well as for the monitoring tool.

bentolor avatar Mar 11 '21 09:03 bentolor

when I try to add the account in outlook, i get a message:

This certification authority root certificate is not trusted because it is not in the repository of trusted root certification authorities.

Can I install the certificate on my monitoring-server in a "ca-trust" store?

Marco-Total avatar Mar 15 '21 14:03 Marco-Total

Beware, that there are two different things:

  1. Certificate Authority (CA): An instance which can sign a certificate as trustworthy and
  2. a Certificate: Something you mail server can use for encrypted communication.

When Outlook, Browsers & Co. connect to a SSL Encrypted Site, they download the certificate (2) and look our for a signature on that certificate from a CA (1) they trust: So they check if they have a CA registered as trusted and cryptographically check that the signature us valid signed by a trusted CA.

So if you want to create and use own certificates the same way as you'd i.e. do with letsencrypt or Digicert certificates, you need to

  1. Create a CA private and public key/certificate
  2. Install that public CA key/certificate as a "trusted CA" in all clients that should connect to the service
  3. Create application certificate and sign it by you created CA certificate
  4. Install & use that signed certificate on you mail server.

The so called "self-signed certificates" are just a certificates which are not signed by any CA.

The way to add you own CA to you trust store depends on the OS & software) i.e. Browsers tend to have their own CA list.

I assume you are german, so here a few links which might help you in creating a CA, installing the CA in you clients (Windows/Linux) and signing a certificate for use in you mail server.

  • https://mherbst.de/de/articles-internet/erstellungeigenersslzertifikate/ or
  • https://www.gluecksgriff-taschen.de/?p=620 and https://www.gluecksgriff-taschen.de/?p=638

Note: This only makes sense for pure internal sever. If you server is publicy accessible I recommend using Letsencrypt. This also only works if your server is reachable by a DNS name like mymailserver.mycompany. You can's use signed certificates by IP only

bentolor avatar Mar 15 '21 17:03 bentolor