Dovecot, self-signed certificates and unknown CA problem

Quick tip if you are trying to deploy Dovecot on RHEL6 or CentOS6 and get an error message about an ‘unknown CA’ like this:

The reason that this error occurs is that Dovecot can not verify a client certificate because it doesn’t know about the self-signed CA certificate because it can not find the self-signed CA certificate. It’s a puzzling error, especially when the CA certificate is present in the Dovecot config:

This happens because Dovecot can not find the CA certificate in the /etc/pki/dovecot/certs directory. Note the directory. The Dovecot RPM on EL6 comes pre-packaged with two directories: /etc/pki/dovecot/certs/ and /etc/pki/dovecot/private/. But if you put a self-signed CA certificate in /etc/pki/dovecot/certs/ Dovecot can not find it because it is looking elsewhere for the CA certificate.

The solution is to put the self-signed CA certificate in /etc/pki/tls/certs/.

How to make Firefox more secure with TLS 1.2

To increase the security of the SSL/TLS encrypted link setup by your Firefox browser enter “about:config” in the browser bar, press enter and change the following preferences:

Setting both to a value of 3 means that Firefox will only use TLS 1.2. This is currently the most secure. However TLS 1.2 may not be supported by every webserver behind the website you surf to. If you find that you can not setup a TLS 1.2 encrypted link to a website then you can try lowering the value for the security.tls.version.min preference to 2. The value 2 means that TLS 1.0 is supported as a minimum which is not as good as TLS 1.2 but better than SSLv3 (a value of 1).

If you really need to allow SSLv3 based links to a website then at least make sure that you disable security.ssl3.rsa_fips_des_ede3_sha:

It also makes sense to disable RC4 by setting the preferences below to false:

You can check how secure your SSL/TLS client is at How’s My SSL?

You can also install the CipherFox add-on in Firefox which displays the current SSL/TLS cipher and certificate chain in the Add-on bar and Site ID dialog.

Be safe out there!

Piwik, nginx and self-signed certificates

To keep track of some website statistics I use Piwik, an excellent free web analytics tool that provides you with detailed reports on your website’s visitors, your marketing campaigns and much more.

Obviously I want to make sure that information is secure and shielded from unauthorized access. After too many Certificate Authorities recently dropped the ball (TurkTrust and Diginotar but Google for more) it makes more sense to use self-signed certificates and client certificate authentication.

Unfortunately Piwik does not support client certificate authentication in its tracker code so how can self-signed certificates and client certificate authentication still be used?

They can not… sorta.

Nginx to the rescue. The fast growing webserver ( actually an HTTP and reverse proxy server, as well as a mail proxy server) is tremendously flexible and granular and allows you to provide limited non-SSL access to piwik.js and piwik.php while the actual webinterface behind index.php is only available on an SSL link with client certificate authentication. While I would prefer to see support for SSL with self-signed certificates & client certificate authentication in Piwik’s tracker code, this should do for now.

Example configuration:

I’ll leave the SSL enabled full Piwik configuration as an exercise to the reader. Piwik on nginx is well documented as is the SSL part.

If you know a way to make Piwik’s tracker code work with SSL with self-signed certificates & client certificate authentication then please leave a comment.