TLS issues

 

Common reasons why TLS might not be working are:

 

  1. Upgraded from MailArchiva V8 to V9. Tomcat server.xml format has changed.
  2. The key store password is incorrect on Tomcat's server.xml
  3. HTTPS connector not defined in Tomcat's server.xml file. SSLEnabled must be set to true on the HTTPS connector.
  4. Mismatch between keystore aliases defined in server.xml and the aliases used in the keystore.
  5. Intermediate cert is missing. It is often necessary to go hunting for additional intermediate certificates on CA websites.
  6. DNS mismatch. For example, having a certificate issued for mailarchiva.company.com, yet accessing the console from https://mailarchiva.company.local.
  7. expired certificate
  8. wrong CA certificates installed
  9. https port bound by another process
  10. certificate is not a wildcard certificate (only applicable if using MailArchiva Multitenant)

 

The Tomcat startup logs are located in /var/opt/mailarchiva/tomcat/logs (Linux) or C:\ProgramData\MailArchiva\Tomcat\logs (Windows). When Tomcat starts up, if it cannot access certs & key in the key store, it will output the errors in one of the log files in that directory. Also, ensure there is not a local firewall blocking the comms on port 443 and that Tomcat is not attempting to bind to an IPv6 address. If the latter add "-Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Addresses=true " to CATALINA_OPTS in /opt/mailarchiva/server/startserver.

 

MailArchiva v8 to v9 Upgrade - TLS Configuration Change
 


MailArchiva v9 uses an upgraded version of the Tomcat (Version 10) application server. After performing an upgrade from MailArchiva V8 to V9, the server may fail to start due to differences in Tomcat server.xml configuration. An error such as the below might be outputted in the catalina.out log file

 

Caused by: java.lang.IllegalArgumentException: No SSLHostConfig element was found with the hostName [_default_] to match the defaultSSLHostConfigName for the connector [https-jsse-nio-443]

 

To resolve, edit Tomcat's TLS connector server.xml in /var/opt/mailarchiva/tomcat/conf/server.xml (Linux) or C:\ProgramData\MailArchiva\Tomcat\conf\server.xml (Windows) and change the port 443 connector equivalent to as follows:

 

  <Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" connectionTimeout="20000" redirectPort="8443" maxParameterCount="1000" URIEncoding="UTF-8" compression="on" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml,text/css,text/plain,application/javascript,application/json" enableLookups="false"  disableUploadTimeout="true" address="0.0.0.0" SSLEnabled="true" maxThreads="150">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/etc/opt/mailarchiva/ROOT/mailarchivacerts" type="RSA" certificateKeystorePassword="##YourKeystorePassword##" certificateKeyAlias="tomcat" />
        </SSLHostConfig>
    </Connector>

 

 

Note: Where previously, the SSL settings were specified as attributes to Tomcat's connector tag, in Tomcat 10, the SSLHostConfig child tag was introduced.

 

Certificate installation

 

Refer to Certificates for instructions on how to import certificates and keys into MailArchiva. The below covers additional troubleshooting steps not mentioned there.

 

Cannot import a server certificate

 

You are unable to import a server certificate and key.

 

Error: Failed to establish chain from reply 

 

  • The order in which certificates are imported is important. Import the root Certifying Authority (CA) certificate first, then intermediate CA certs, then lastly, server cert & key (i.e. moving up the chain)
  • Be sure that you are not missing an intermediate cert. Sometimes, a CA has two intermediate certs, and one or more of them might not have been mailed to you. It may be necessary to go look on the CA website for other intermediate certs. If there is a certificate missing in the chain, the above error will be outputted.
  • If the server certificate key was generated using MailArchiva's inbuilt certificate request (CSR) process, ensure that Save was clicked to persist the key after the certificate generation was completed.
  • If importing a server certificate and key is generated outside MailArchiva, then the private key must also be imported (i.e. its no use just importing a server certificate by itself). MailArchiva currently supports importing a private key and server certificate in PKCS-12 format. If your server certificate and private key is stored in a different format, use OpenSSL utilities to copy them to a PKCS-12 file. Afterwards, click the Import Private Key button in MailArchiva certificate management (Configuration->Certificates), enter password to PKCS-12 file, and the server cert and key will be imported. Click Save to save your changes.

 

Error: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)

 

  • Your PKCS12 file uses a PBES2 cipher for encryption and Java versions below 8u301 or 11.0.1 don't correctly handle PBES2. Create the PKCS12 so that it doesn't use PBES2.  If using openSSL to export to PKCS-12, add the -legacy option as follows:
openssl pkcs12 -inkey cert1.private.key -in cert1.public.crt -export -out cert1.p12 -legacy

 

The GUI will not come up when the server starts.

 

After starting the server, the GUI will not come up if...

 

  • The alias specified in Tomcat server.xml is different from the alias the certificate installed in the MailArchiva certificate store
  • The password specified in Tomcat server.xml for mailarchivacerts key store is wrong

 

Examine the Tomcat startup logs in /var/opt/mailarchiva/tomcat/logs/ or C:\ProgramData\MailArchiva\Tomcat\logs. Edit the connector on server.xml, switch back to port 80, restart MailArchiva and retrace the certificate install steps.

 

 

Unable to receive traffic with SMTP Start TLS enabled

 

First, isolate whether TLS is the cause of miscommunication between the mail server and MailArchiva. Do so by temporarily reverting the SMTP listener back to using plaintext and examining the charts to determine whether mail is received from the mail server. If so, it likely indicates that the TLS setup is the cause. The Exchange server may not support or be able to authenticate the certificates imported into MailArchiva, since the CA certificates may not be imported into Exchange. 

 

Failed to import certificate. Failed to establish chain from the reply.


An intermediate CA certificate is likely missing.  All intermediate certificates must be imported using the Import CA Cert button before importing the server certificate. MailArchiva requires that intermediate certificates are imported along the full certificate chain from the server cert to the ROOT certificate. For each certificate imported into MailArchiva, ensure that there is a parent certificate present whose subject DN matches the issuer DN. To determine which intermediate (parent) certificate is missing, look for a certificate with an issuer DN where there is no corresponding certificate with a matching subject DN. The ROOT certificate will have a matching issuer and subject DN.

 

Some CA's do not email all intermediate CA certificates along with the server certificate. If this is the case, it is necessary to go hunting for the missing certificate from the CA website. Alternatively, contact the CA organization's support line and request the missing certificate.

 

 

 

© 2005 - 2024 ProProfs

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.

-