Pegasus Mail & Mercury

Welcome to the Community for Pegasus Mail and
The Mercury Mail Transport System, the Internet's longest-serving PC e-mail system!
Welcome to Pegasus Mail & Mercury Sign in | Join | Help
in
Home Blogs Forums Downloads Pegasus Mail Overview Mercury Overview Wiki

Mercury 4.8 Certificate Replacement Woes

Last post 05-09-2019, 4:40 by Tim W Young. 9 replies.
Sort Posts: Previous Next
  •  01-10-2019, 16:16

    • cretson is not online. Last active: 01-22-2019, 16:10 cretson
    • Top 500 Contributor
    • Joined on 08-09-2008
    • Member
    • Points 260

    Mercury 4.8 Certificate Replacement Woes

    I had been using a self-signed security certificate for the past 2 years, realized that it expired (whoops).  I purchased a proper certificate, and set it up on Mercury (replacing the .PEM with the .CRT on the config screen for each module's SSL).  But, mail clients are still reporting the expired certificate! 

    (Thinking maybe it was not liking the format of the third-party certificate...) I tried creating a new self-signed cert using Mercury's built-in tool, but found it wasn't creating the file as it says it was doing!  I thought maybe my install was corrupt or obsolete (I have been upgrading since I first installed Mercury on Windows 98, now on Windows 10), so tried creating a second, clean installation of Mercury in another folder, ran the tool to create a self-signed certificate, but got the same result (says a certificate file was created, but it's not there).

    Anybody else on Windows 10 / Mercury 4.8, tried making self-signed certificate and had it work (that is, produce the desired file)? 

    Any other thoughts on why Mercury would still be distributing the certificate I thought replaced? 

    Can I manually find the text version of the key somewhere to confirm it took?  I tried removing the old certificate from the folder, but it still is distributing the old cert, so I assume it must copy the certificate into the config files somewhere?

    About ready to lose my mind, any insight would be helpful! 

  •  01-11-2019, 4:00

    • cretson is not online. Last active: 01-22-2019, 16:10 cretson
    • Top 500 Contributor
    • Joined on 08-09-2008
    • Member
    • Points 260

    Re: Mercury 4.8 Certificate Replacement Woes

    Update: the old key seems to have gone away on its own - maybe it was cached somewhere and finally refreshed.  But TLS still not working.
     
    Did a session log, saw this error:
     
    21:43:00.726: << * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.<cr><lf>
    21:43:00.773: >> 1 CAPABILITY<cr><lf>
    21:43:00.773: << * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED X-MERCURY-1<cr><lf>
    21:43:00.773: << 1 OK CAPABILITY complete.<cr><lf>
    21:43:00.836: >> 2 STARTTLS<cr><lf>
    21:43:00.836: << 2 OK Begin SSL/TLS negotiation now.<cr><lf>
    21:43:00.976: [!] OpenSSL reported errors during handshake - error queue follows:
    21:43:00.976: [!] -------------------------------------------------------------------------
    21:43:00.976: [!] error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
    21:43:00.976: [!] -------------------------------------------------------------------------
     
    What am I doing wrong here?  Thanks! 
  •  01-11-2019, 20:23

    • Sellerie is not online. Last active: 2019/06/25, 21:50 Sellerie
    • Top 75 Contributor
    • Joined on 04-10-2014
    • Member
    • Points 1,125

    Re: Mercury 4.8 Certificate Replacement Woes

    Removing the old cert from the folder is not enough, you have to restart mercury.
  •  01-12-2019, 11:06

    Re: Mercury 4.8 Certificate Replacement Woes

    cretson:
    Update: the old key seems to have gone away on its own - maybe it was cached somewhere and finally refreshed.  But TLS still not working.

     

    What exactly goes wrong with you, I can not say that either. I am using a certificate from LetsEncrypt and it works without problems. I see sometimes the SSL error message in the logfile too, but this is almost always a SSL test server.

     

    A tip maybe: The Mercury SSL libraries are ancient. You should simply replace the two SSL-files with current ones Wink.

  •  01-12-2019, 15:02

    • cretson is not online. Last active: 01-22-2019, 16:10 cretson
    • Top 500 Contributor
    • Joined on 08-09-2008
    • Member
    • Points 260

    Re: Mercury 4.8 Certificate Replacement Woes

    Thanks for the feedback!  I reached out to the issuing company, and they built me a .PEM with the private/public keys just as I'd done, but used a different keys (I think they re-issued my key).  Using that, I started getting a different error: 

     
    08:33:55.008: [!] OpenSSL reported errors during handshake - error queue follows:
    08:33:55.008: [!] -------------------------------------------------------------------------
    08:33:55.008: [!] error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
     
    I thought about upgrading the SSL engine, but thought I had read a post saying David didn't think it was wise to upgrade to the newest SSL for some reason.  Which are the "two SSL files" you refer, the OpenSSL.exe and OpenSSL.cnf?  I noticed their is a CFG file as well, I assume this is something not needed to be user-configured. 
     
    Thanks again! 
  •  01-12-2019, 15:04

    • cretson is not online. Last active: 01-22-2019, 16:10 cretson
    • Top 500 Contributor
    • Joined on 08-09-2008
    • Member
    • Points 260

    Re: Mercury 4.8 Certificate Replacement Woes

    Oh, should have mentioned I did restart Mercury, rebooted the computer too.  I also removed the old key from Windows 10's key store (I had done this trying to get it to stop giving me warnings that I'm using a self-signed cert while connecting to the mail server from the mail server)
  •  01-14-2019, 19:08

    • cretson is not online. Last active: 01-22-2019, 16:10 cretson
    • Top 500 Contributor
    • Joined on 08-09-2008
    • Member
    • Points 260

    Re: Mercury 4.8 Certificate Replacement Woes

    OK, so still struggling. Tried installing Mercury 4.80 on a old Windows 7 machine, and the certificate generation works!  I created a CSR using this copy, revoked my certificate, and requested a new one using the CSR.  I compiled them into a single file (PRIVATE KEY and CERTIFICATE), as I gather you're supposed to do.  Now I'm getting a new error, seems to make 2 session logs when I attempt to connect.  Any hints?
     
    12:59:56.261: --- 14 Jan 2019, 12:59:56.261 ---
    12:59:56.261: Accepted connection from 'xxx.xxx.xxx.xxx', timeout 120 seconds.
    12:59:56.266: Connection from xxx.xxx.xxx.xxx, Mon, 14 Jan 2019 12:59<cr><lf>
    12:59:56.266: << * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.<cr><lf>
    12:59:56.331: >> 1 CAPABILITY<cr><lf>
    12:59:56.331: << * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED X-MERCURY-1<cr><lf>
    12:59:56.331: << 1 OK CAPABILITY complete.<cr><lf>
    12:59:56.391: >> 2 STARTTLS<cr><lf>
    12:59:56.391: << 2 OK Begin SSL/TLS negotiation now.<cr><lf>

    -Then- 
     
    12:59:56.651: --- 14 Jan 2019, 12:59:56.651 ---
    12:59:56.651: Accepted connection from 'xxx.xxx.xxx.xxx', timeout 120 seconds.
    12:59:56.656: Connection from xxx.xxx.xxx.xxx, Mon, 14 Jan 2019 12:59<cr><lf>
    12:59:56.656: << * OK d IMAP4rev1 Mercury/32 v4.80.145 server ready.<cr><lf>
    12:59:56.661: >> 
    12:59:56.666: << * BAD Malformed command or oversize literal.<cr><lf>
    12:59:56.666: >> ÀÀ
    12:59:56.666: << * BAD Malformed command or oversize literal.<cr><lf>
    12:59:56.666: >> retson.net
    12:59:56.666: << * BAD Malformed command or oversize literal.<cr><lf>
    12:59:56.726: 7: Socket read error 10054 (connection aborted by remote host)
    12:59:56.731: --- Connection closed normally at 14 Jan 2019, 12:59:56.731. ---
    12:59:56.731: 
     
  •  01-16-2019, 15:32

    • cretson is not online. Last active: 01-22-2019, 16:10 cretson
    • Top 500 Contributor
    • Joined on 08-09-2008
    • Member
    • Points 260

    Re: Mercury 4.8 Certificate Replacement Woes

    Solved it! 

    For others' reference:

    .PEM file should contain the entire trust chain.  Like this:


    -----PRIVATE KEY-----Private key data-----END PRIVATE KEY-----

    -----CERTIFICATE-----Your certificate-----END CERTIFICATE-----

    -----CERTIFICATE----- Trust chain certificate 1 -----END CERTIFICATE-----

    -----CERTIFICATE----- Trust chain certificate 2-----END CERTIFICATE-----

  •  05-04-2019, 21:20

    • jbanks is not online. Last active: 07-17-2019, 4:38 jbanks
    • Top 50 Contributor
    • Joined on 06-09-2007
    • Prince Edward Island, Canada
    • Member
    • Points 1,290

    Re: Mercury 4.8 Certificate Replacement Woes

    I have the exact same problem - did you ever find a fix?
  •  05-09-2019, 4:40

    Re: Mercury 4.8 Certificate Replacement Woes

    I think you missed the message previous to yours, where the solution was posted.
View as RSS news feed in XML

Contact | Advertise | Host provider: PraktIT | Terms of Use | Privacy Statement
Copyright © 2007-2011 David Harris / Peter Strömblad. | Pegasus Mail Home Page