Results 1 to 6 of 6

Thread: Regenerating snakeoil SSL certificate

  1. #1
    Join Date
    Jul 2007
    Beans
    56
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Regenerating snakeoil SSL certificate

    Either concurent with, or shortly after, upgrading to Hardy, the security system indicated that my ssh keys were generated by a version ssh-keygen that had a broken random number generator and that I had to regenerate them. I did that and ssh is now fine.

    However, when my Evolution e-mail client connects to the internal Dovcot POP3 (SSL) server running on top of Postfix, it gives the message below (in italics). This is probably because the snakeoil certificate /etc/ssl/certs/ssl-cert-snakeoil.pem was generated with the same broken random number generator is is therefore blacklisted. This raises two questions:

    1. How does one regenerate the snakeoil default ssl certificate?
    2. Are there any consequences of regenerating it that will have to be handled?

    The easiest path would be to allow Evolution to accept the certificate. But who wants a default SSL certificate that doesn't provide security?

    My version of Ubuntu is:
    Linux CERTIBY1 2.6.24-16-generic #1 SMP Thu Apr 10 12:47:45 UTC 2008 x86_64 GNU/Linux
    Thanks for any help.
    David
    SSL Certificate check for certiby1:

    Issuer: E=root@CERTIBY1.LAHILLS.CERTIBY.COM,CN=CERTIBY1.LA HILLS.CERTIBY.COM,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
    Subject: E=root@CERTIBY1.LAHILLS.CERTIBY.COM,CN=CERTIBY1.LA HILLS.CERTIBY.COM,OU=Office for Complication of Otherwise Simple Affairs,O=OCOSA,L=Everywhere,ST=There is no such thing outside US,C=XX
    Fingerprint: a3:e2:b7:8b:c6:cb:9e:86:3e:5e:c2:0b:85:bf:4d:44
    Signature: BAD

  2. #2
    Join Date
    Jul 2007
    Beans
    56
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Regenerating snakeoil SSL certificate

    I have been digging into this more -- going through the security notices.
    and learned that you can test for blacklisted certificates using openssl-vulnkey. It validated that my snakeoil certificates are not blacklisted (see below). Now I don't know what the problem is. Does anyone have ideas?

    Thanks.

    David

    david@CERTIBY1:~$ openssl-vulnkey /etc/ssl/certs/ssl-cert-snakeoil.pem
    Not blacklisted: 0ff365d9ac59f2ac2a7bfdb7bd3c6e71b97014f1 /etc/ssl/certs/ssl-cert-snakeoil.pem
    david@CERTIBY1:~$ sudo openssl-vulnkey /etc/ssl/private/ssl-cert-snakeoil.key
    Not blacklisted: 0ff365d9ac59f2ac2a7bfdb7bd3c6e71b97014f1 /etc/ssl/private/ssl-cert-snakeoil.key

  3. #3
    Join Date
    Feb 2007
    Beans
    8

    Re: Regenerating snakeoil SSL certificate

    If you ever find out how to do this, drop me a pm... I am also trying to figure it out.

  4. #4
    Join Date
    Jul 2007
    Beans
    56
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Regenerating snakeoil SSL certificate

    I suggest that you just subscribe to this thread so that you automatically get informed when I, or someone else, solves it.

  5. #5
    Join Date
    Jun 2008
    Beans
    1

    Smile Re: Regenerating snakeoil SSL certificate

    Since during installation process my system's time was incorrect (year 2002) where was errors like "your sertificate is expired" after. So I needed to regenerate them
    I managed to regenerate default snakeoil certificate with folowing command:
    sudo make-ssl-cert generate-default-snakeoil --force-overwrite
    and errors gone

    Hope that will help

  6. #6
    Join Date
    Jul 2007
    Beans
    56
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Regenerating snakeoil SSL certificate

    That worked perfectly. Thanks!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •