Dovecot, self-signed certificates and unknown CA problem

Quick tip if you are trying to deploy Dovecot on RHEL6 or CentOS6 and get an error message about an ‘unknown CA’ like this:

The reason that this error occurs is that Dovecot can not verify a client certificate because it doesn’t know about the self-signed CA certificate because it can not find the self-signed CA certificate. It’s a puzzling error, especially when the CA certificate is present in the Dovecot config:

This happens because Dovecot can not find the CA certificate in the /etc/pki/dovecot/certs directory. Note the directory. The Dovecot RPM on EL6 comes pre-packaged with two directories: /etc/pki/dovecot/certs/ and /etc/pki/dovecot/private/. But if you put a self-signed CA certificate in /etc/pki/dovecot/certs/ Dovecot can not find it because it is looking elsewhere for the CA certificate.

The solution is to put the self-signed CA certificate in /etc/pki/tls/certs/.

How to setup OpenVPN on CentOS6

Introduction

This article will guide you through the installation and configuration of OpenVPN on a CentOS 6 server. The preferred OpenVPN version is 2.3.3 as that is the most recent one and, more importantly, the only version which has a fix for the Heartbleed bug.

Step 1 – install OpenVPN

Currently the OpenVPN RPM in EPEL has not yet been updated to version 2.3.3. You can either wait for it to be updated (together with pkcs11-helper version 1.11) or create your own RPMs.

Step 2 – get the EasyRSA scripts

Since the key generation scripts in eay-rsa/ were removed from OpenVPN you have to get them separately:

If you create your own OpenVPN RPM it makes sense to include EasyRSA in it.

Step 3 – edit vars in easy-rsa/

Open /etc/openvpn/easy-rsa/vars in your favorite editor and change

to

Next edit the following fields to your liking. Just don’t leave any blank.

Step 4 – create the CA certificate

Press enter at each question if the default is acceptable or change it to your liking. Don’t leave any field empty.

Step 5 – create the server certificate

Press enter at each question if the default is acceptable or change it to your liking. Don’t leave any default empty.

Answer these questions with yes:

Step 6 – create the client certificate

Answer these questions with yes:

If you need a PKCS12 file (a .p12), follow these steps:

Answer these questions with yes:

Next you are asked for a password to secure the .p12 file. Make sure you provide a secure password and store it in a safe place like in Pass, KeePassX or LastPass.

Once the client key is generated, copy it to the host that needs access to the OpenVPN server.

Step 7 – create the DH key

Step 8 – create the tls-auth key (ta.key)

Step 9 – create /etc/openvpn/server.conf

Open your favourite editor and save the config below to /etc/openvpn/server.conf

/etc/openvpn/server.conf:

Do not forget to change ‘SERVER_VPN_NET, ‘SERVER_VPN_NET_NETMASK’, ‘SERVER_NET’, ‘SERVER_NET_NETMASK’, ‘YOUR_DNS_SERVER’ and ‘YOUR_DOMAIN’. Examples below each line/section.

Step 10 – start OpenVPN and check log

In one terminal open the openvpn.log:

And in another terminal start the openvpn service:

Step 11 – enable IP forwarding

Enable IP forwarding so packets from your VPN subnet can be forwarded to the network behind the OpenVPN server.

Open /etc/sysctl.conf in your favourite editor and change:

to

Activate IP forwarding:

Step 12 – setup Masquerading

Make sure that the VPN subnet and interfaces used below are correct for your server.

Restart the iptables service:

Done.

How to block Heartbleed queries with IPtables

Here are some rules to block HeartBleed queries with IPtables. The example focuses on HTTPS (port 443). By copying the rules and changing the destination port (“--dport xxx“) you can protect other services too.

If you want the queries logged then first add this rule.

And the actual rule which drops the Heartbleed queries: