Linux Apps Tutorials - Herong's Tutorial Examples - v1.03, by Herong Yang
Provide Self Signed Certificate to SquirrelMail
This section provides a tutorial example on how to provide download self-signed certificate from mail server and provide it SquirrelMail as a trusted certificate to resolve the invalid certificate error.
Continuing from the previous tutorial, let's find a way to allow SquirrelMail accepting the self signed certificate used by a remote mail server.
1. Download the self signed certificate from the remote IMAPS server.
herong$ openssl s_client -connect 192.168.1.100:993 depth=0 ..., CN = 192.168.1.100, ... verify error:num=18:self signed certificate ... Server certificate -----BEGIN CERTIFICATE----- MIID5TCCAs2gAwIBAgIUVPSyH5TDRDSyzDp0w3aTKV7qyIswDQYJKoZIhvcNAQEL BQAwgaAxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ2RvbmcxETAPBgNVBAcM CFNoZW56aGVuMRYwFAYDVQQKDA1UYXJnZXRSeCBJbmMuMRQwEgYDVQQLDAtNYWls ... wSQq2F5TcqIL/QfUhkOHd9cdY4LlJctfTQeruRvDD8ezF9cRmV5Pjx8= -----END CERTIFICATE-----
2. Save the above certificate in a file, 192-168-1-100.crt. We need to provide it the PHP environment as a trusted certificate in 3 possible ways:
3. Run another PHP function call to find out how to PHP is searching for CA certificates.
herong$ php -r "print_r(openssl_get_cert_locations());" Array ( [default_cert_file] => /etc/pki/tls/cert.pem [default_cert_file_env] => SSL_CERT_FILE [default_cert_dir] => /etc/pki/tls/certs [default_cert_dir_env] => SSL_CERT_DIR [default_private_dir] => /etc/pki/tls/private [default_default_cert_area] => /etc/pki/tls [ini_cafile] => [ini_capath] => )
4. Look at the first entry, /etc/pki/tls/cert.pem, in above searched locations. It has 136 CA certificates.
herong$ ls -l /etc/pki/tls/cert.pem lrwxrwxrwx. 1 root root 49 Aug 12 2020 /etc/pki/tls/cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem herong$ grep BEGIN cert.pem | wc 136 274 3836
5. Add the self signed certificate to the end of /etc/pki/tls/cert.pem. And run the simulation code again. I do not see any errors. That is good.
herong$ su # cat 192-168-1-100.crt >> /etc/pki/tls/cert.pem # exit herong$ php -r 'fsockopen("tls://192.168.1.100", 993, $errno, $errmsg, 5);'
6. Run SquirrelMail test script again. I see no errors. SquirrelMail is accepting the self signed certificate now.
herong$ firefox http://localhost/mailx/src/configtest.php Checking IMAP service.... IMAP server ready (* OK [CAPABILITY IMAP4rev1 SASL-IR ...
7. Log in to SquirrelMail Webmail in a Web browser. I can retrieve emails from the mail server.
herong$ firefox http://localhost/mailx
Please also notice that:
1. It seems to me that if "default_cert_file" is provided, PHP OpenSSL will not look at "default_cert_dir" for CA certificates.
2. There is a config.php example from SquirrelMail sourceforge.net Website that suggests to use $imap_stream_options to provide self-signed certificates. But this setting is not support in the SquirrelMail 1.4.22 stable version. This could be a new feature in newer version.
* $imap_stream_options = array( * 'ssl' => array( * 'cafile' => '/etc/pki/tls/certs/ca-bundle.crt', * 'verify_peer' => true, * 'verify_depth' => 3, * ), * );
Table of Contents
Running Apache HTTP Server (httpd) on Linux Systems
Running Apache Tomcat on Linux Systems
Running PHP Scripts on Linux Systems
Running MySQL Database Server on Linux Systems
Running Python Scripts on Linux Systems
Conda - Environment and Package Manager
Graphics Environments on Linux
►SquirrelMail - Webmail in PHP
SquirrelMail Webmail Installation on CentOS
SquirrelMail Configuration on CentOS
SquirrelMail for Mail Server on Local Network
SquirrelMail Configuration for IMAPS Port 993
►Provide Self Signed Certificate to SquirrelMail
SquirrelMail Configuration for SMTPS Port 465