[SOLVED] Need help with OTRS and S/MIME

[skywww]

Good Day!
We use otrs 3.2.8. + MS SQL + IIS + customer AD Integration + Windows AD CA.
We need s/mime support to read crypted incoming mail.

We installed open ssl for windows in standart windows folder "C:\Program Files".
We pointed settings in config section to the openssl-folder here "otrs/index.pl?Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt%3A%3ASMIME;SysConfigGroup=Framework"
Separately we issued certificate and private key for our helpdesk@mydomain.com account.

We exported from OS certificates mmc console private key+certificate in .pfx file with a password and exported certificate file in .cer file.

When we try to import cer file here "/otrs/index.pl?Action=AdminSMIME;Subaction=ShowAddCertificate" - we get error "Can't add invalid certificate! "

When we try to import pfx file (with password) here "otrs/index.pl?Action=AdminSMIME;Subaction=ShowAddPrivate" - we get error "Need Certificate of Private Key first -$Attributes{Modulus})! "

Question is - How to install pfx and cer file to OTRS ?

[crythias]

What OS are you using for OTRS?

You should make sure the paths are valid for you
Edit Config Settings in Framework -> Crypt::SMIME
certs are likely .crt or .pem
private are likely .pem or .key

This or this might help.

[skywww]

Good Day!

Crythias, thanks' for reply.

OS Windows Server 2008 R2.

I checked my Crypt::SMIME settings, here they are:

Enables S/MIME support. : Yes
SMIME::Bin : C:/PROGRA~2/GnuWin32/bin/openssl.exe
SMIME::CertPath : C:/PROGRA~2/OTRS/OTRS/ssl/certs
SMIME::PrivatePath :C:/PROGRA~2/OTRS/OTRS/ssl/private

Then, I used links that you point and extract *.pem files (secret and public) from pfx.

Sorry, but no result after this actions.

When I try to add private key - the same error - "Need Certificate of Private Key first -$Attributes{Modulus})! "
When I try to add public key - the same error - "Can't add invalid certificate! "

Can you help with it ? May be I should try something else...

[skywww]

I googled very same problem here http://lists.otrs.org/pipermail/otrs-de ... 14608.html

But no decision .

[crythias]

http://doc.otrs.org/3.1/en/html/smime.html

In theory, you *can* place the files in place manually.

[skywww]

"In theory, you *can* place the files in place manually." - It doesn't works.

They are already there from the beginning.

I see in Perl log this when I try to import it in OTRS:

*** 'C:\Program Files (x86)\OTRS\OTRS\bin\cgi-bin\index.pl' log message at: 2013/12/04 11:27:45
ERROR: OTRS-CGI-10 Perl: 5.16.3 OS: MSWin32 Time: Wed Dec 4 11:25:42 2013

Message: Can't add invalid certificate!

RemoteAddress: 192.168.100.10
RequestURI: /otrs/index.pl

Traceback (7980):
Module: Kernel::System::Crypt::SMIME::CertificateAdd (OTRS 3.2. Line: 571
Module: Kernel::Modules::AdminSMIME::Run (OTRS 3.2. Line: 181
Module: Kernel::System::Web::InterfaceAgent::Run (OTRS 3.2. Line: 863
Module: PerlEx::Precompiler::c_::program20files2028x8629::otrs::otrs::bin::cgi2dbin::index_pl::__ANON__ (unknown version) Line: 41
Module: (eval) (unknown version) Line: 458
Module: PerlEx::Precompiler::Execute (unknown version) Line: 458

[crythias]

"Can't add invalid certificate!" is because the certificate is not returning the values sought
..

test it from a command line:

Code: Select all

openssl x509 -in YOURFILENAME.CRT -noout -subject_hash -issuer -fingerprint -sha1 -serial -subject -startdate -enddate -email -modulus 

It should show something like:
4c83e869
issuer= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
SHA1 Fingerprint=54:CA:6A:BB:A2:16:39:24:6D:07:6F:A8:A5:9D:46:4B:8C:6C:5B:EF
serial=B197069090D80906
subject= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
notBefore=Aug 28 23:45:07 2010 GMT
notAfter=Aug 25 23:45:07 2020 GMT
user@domain
Modulus=B75926101EDFF50BD0B4CD3DBAC66CC0F8B7357ECE2BE20A6FE56DCB74389DA05CD855C93883F727010FBADF03501CC4BECE0935DE0A8653DF8F5728AA8C298DA85669241B8DC50752277A3D0B3836348DFA0F247D84B6BBCF73D32AE2C04CCF163BE76196606C4BD6F3ECA65FD227788B931F721E6D679B7F0B1CC5E6BF6797

If it does not, OTRS won't be able to handle the certificate.
---
For "Need Certificate of Private Key first -$Attributes{Modulus})!":

This arrives after searching the folder CertPath for files *.0 through *.9 (CertificateList) (Basically, a certificate for the certificate authority that provided the private key.)

You could just add it manually if you want, but you do need to have your certificate authority certificate in CertPath and it needs (may need?) to have (one of) a .0 through .9 added to the filename in order to be read:

Code: Select all

sub CertificateList {
    my ( $Self, %Param ) = @_;

    my @CertList;
    my @Filters;
    for my $Number ( 0 .. 9 ) {
        push @Filters, "*.$Number";
    }

    my @List = $Self->{MainObject}->DirectoryRead(
        Directory => "$Self->{CertPath}",
        Filter    => \@Filters,
    );

---
Summary: your Private key can't be loaded because the Certificate Authority isn't available to check the Private key.
Your public key can't be loaded because (maybe?) it can't be read properly.

[skywww]

Hello!

I'm sorry but it doesn't' work.
I run this command

Code: Select all

openssl x509 -in YOURFILENAME.CRT -noout -subject_hash -issuer -fingerprint -sha1 -serial -subject -startdate -enddate -email -modulus 

(only in my case it was YOURFILENAME.CER, not CRT.

And I see in file really smth like this

4c83e869
issuer= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
SHA1 Fingerprint=54:CA:6A:BB:A2:16:39:24:6D:07:6F:A8:A5:9D:46:4B:8C:6C:5B:EF
serial=B197069090D80906
subject= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
notBefore=Aug 28 23:45:07 2010 GMT
and so on

But when I try to add certificate - I get the same error "Can't add invalid certificate!"

I'am at a deadlock.

[crythias]

Kernel/System/Crypt/SMIME.pm:

This is all it says:

Code: Select all

    my %Attributes = $Self->CertificateAttributes( Certificate => $Param{Certificate}, );
    my %Result;

    if ( !$Attributes{Hash} ) { #If no attributes are returned
        $Self->{LogObject}->Log(
            Priority => 'error',
            Message  => 'Can\'t add invalid certificate!'
        );
        %Result = (
            Successful => 0,
            Message    => 'Can\'t add invalid certificate!',
        );
        return %Result;
    }

sub CertificateAttributes says, basically, read attributes, determine if this is a private cert, and return them. It calls:

sub _FetchAttributesFromCert

For fun and logging, let's add a Log entry after my $Output

Code: Select all

    my $Output = qx{$Self->{Cmd} $Options 2>&1};
    $Self->{LogObject}->Log( Priority => 'info', Message => "Result of \$Output\n$Output" );

add other logs where you see fit.

Also, I might point out that 3.2.8 is five versions behind the most recent release, and fixes a lot of bugs

Can we verify C:/PROGRA~2/GnuWin32/bin/openssl.exe is the proper path for openssl?

[skywww]

Good Day!

Crythias, I added extra logging in PM file, now I see in log:

[Mon Dec 9 15:53:52 2013][Error][Kernel::System::Crypt::SMIME::_FetchAttributesFromCert][1686] Result of $Output
"HOME" is not recognized as an internal or external command, operable program or batch file.

Where should I point "HOME" variable ?

I set it here (in Config.PM):

# S/MIME settings (supports smime)
$Self->{SMIME} =1;
# maybe openssl need a HOME env!
$ENV{HOME} = 'C:/PROGRA~2/GnuWin32/bin';
$Self->{'SMIME::Bin'} = 'C:/PROGRA~2/GnuWin32/bin';
$Self->{'SMIME::CertPath'} = 'C:/PROGRA~2/OTRS/OTRS/ssl/certs';
$Self->{'SMIME::PrivatePath'} = 'C:/PROGRA~2/OTRS/OTRS/ssl/private';

But error is the same.

In the begining of Config.PM I have this:
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = 'C:/PROGRA~2/OTRS/OTRS';


Where should I set "HOME" variable else ?

[skywww]

I'd like to add - I have a file otrs.log.error - it is full of records:

"HOME" is not recognized as an internal or external command, operable program or batch file.

And every time I try to add certificate one record adds.

[crythias]

Please edit your signature. I'm having trouble remembering what your OTRS version is.

[crythias]

only in SMIME.pm:

Code: Select all

    $Self->{Cmd}
        = "HOME=" . $Self->{ConfigObject}->Get('Home') . " RANDFILE=$ENV{RANDFILE} $Self->{Cmd}";

I *think* this is a bug/not applicable to Windows.

I can't confirm it, but you might want to comment those two lines.

[skywww]

Good Day!

Crythias, thank you a lot - a great work.
I commented these lines in SMIME.pm and "wooow!" I successfully imported open certificate for my helpdesk e-mail and for CA.
After this I successfully imported secret key for helpdesk e-mail.

And now when I receive signed e-mail - I can read it in OTRS normally.

But when I receive signed and crypted e-mail - we cannot read it - in OTRS interface we see an error:

"Impossible to decrypt: private key for email was not found!"

What does it means ? Should we point imported secret key exactly for e-mail somewhere ?