[SOLVED] Need help with OTRS and S/MIME
Moderator: crythias
[SOLVED] Need help with OTRS and S/MIME
Good Day!
We use otrs 3.2.8. + MS SQL + IIS + customer AD Integration + Windows AD CA.
We need s/mime support to read crypted incoming mail.
We installed open ssl for windows in standart windows folder "C:\Program Files".
We pointed settings in config section to the openssl-folder here "otrs/index.pl?Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt%3A%3ASMIME;SysConfigGroup=Framework"
Separately we issued certificate and private key for our helpdesk@mydomain.com account.
We exported from OS certificates mmc console private key+certificate in .pfx file with a password and exported certificate file in .cer file.
When we try to import cer file here "/otrs/index.pl?Action=AdminSMIME;Subaction=ShowAddCertificate" - we get error "Can't add invalid certificate! "
When we try to import pfx file (with password) here "otrs/index.pl?Action=AdminSMIME;Subaction=ShowAddPrivate" - we get error "Need Certificate of Private Key first -$Attributes{Modulus})! "
Question is - How to install pfx and cer file to OTRS ?
We use otrs 3.2.8. + MS SQL + IIS + customer AD Integration + Windows AD CA.
We need s/mime support to read crypted incoming mail.
We installed open ssl for windows in standart windows folder "C:\Program Files".
We pointed settings in config section to the openssl-folder here "otrs/index.pl?Action=AdminSysConfig;Subaction=Edit;SysConfigSubGroup=Crypt%3A%3ASMIME;SysConfigGroup=Framework"
Separately we issued certificate and private key for our helpdesk@mydomain.com account.
We exported from OS certificates mmc console private key+certificate in .pfx file with a password and exported certificate file in .cer file.
When we try to import cer file here "/otrs/index.pl?Action=AdminSMIME;Subaction=ShowAddCertificate" - we get error "Can't add invalid certificate! "
When we try to import pfx file (with password) here "otrs/index.pl?Action=AdminSMIME;Subaction=ShowAddPrivate" - we get error "Need Certificate of Private Key first -$Attributes{Modulus})! "
Question is - How to install pfx and cer file to OTRS ?
Last edited by skywww on 18 Dec 2013, 13:37, edited 1 time in total.
OTRS 3.2.8 on Windows Server 2008 R2 + MS SQL 2008 R2 Database and IIS.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: Need help with OTRS and S/MIME
What OS are you using for OTRS?
You should make sure the paths are valid for you
Edit Config Settings in Framework -> Crypt::SMIME
certs are likely .crt or .pem
private are likely .pem or .key
This or this might help.
You should make sure the paths are valid for you
Edit Config Settings in Framework -> Crypt::SMIME
certs are likely .crt or .pem
private are likely .pem or .key
This or this might help.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: Need help with OTRS and S/MIME
Good Day!
Crythias, thanks' for reply.
OS Windows Server 2008 R2.
I checked my Crypt::SMIME settings, here they are:
Enables S/MIME support. : Yes
SMIME::Bin : C:/PROGRA~2/GnuWin32/bin/openssl.exe
SMIME::CertPath : C:/PROGRA~2/OTRS/OTRS/ssl/certs
SMIME::PrivatePath :C:/PROGRA~2/OTRS/OTRS/ssl/private
Then, I used links that you point and extract *.pem files (secret and public) from pfx.
Sorry, but no result after this actions.
When I try to add private key - the same error - "Need Certificate of Private Key first -$Attributes{Modulus})! "
When I try to add public key - the same error - "Can't add invalid certificate! "
Can you help with it ? May be I should try something else...
Crythias, thanks' for reply.
OS Windows Server 2008 R2.
I checked my Crypt::SMIME settings, here they are:
Enables S/MIME support. : Yes
SMIME::Bin : C:/PROGRA~2/GnuWin32/bin/openssl.exe
SMIME::CertPath : C:/PROGRA~2/OTRS/OTRS/ssl/certs
SMIME::PrivatePath :C:/PROGRA~2/OTRS/OTRS/ssl/private
Then, I used links that you point and extract *.pem files (secret and public) from pfx.
Sorry, but no result after this actions.
When I try to add private key - the same error - "Need Certificate of Private Key first -$Attributes{Modulus})! "
When I try to add public key - the same error - "Can't add invalid certificate! "
Can you help with it ? May be I should try something else...
OTRS 3.2.8 on Windows Server 2008 R2 + MS SQL 2008 R2 Database and IIS.
Re: Need help with OTRS and S/MIME
I googled very same problem here http://lists.otrs.org/pipermail/otrs-de ... 14608.html
But no decision .
But no decision .
OTRS 3.2.8 on Windows Server 2008 R2 + MS SQL 2008 R2 Database and IIS.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: Need help with OTRS and S/MIME
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: Need help with OTRS and S/MIME
"In theory, you *can* place the files in place manually." - It doesn't works.
They are already there from the beginning.
I see in Perl log this when I try to import it in OTRS:
*** 'C:\Program Files (x86)\OTRS\OTRS\bin\cgi-bin\index.pl' log message at: 2013/12/04 11:27:45
ERROR: OTRS-CGI-10 Perl: 5.16.3 OS: MSWin32 Time: Wed Dec 4 11:25:42 2013
Message: Can't add invalid certificate!
RemoteAddress: 192.168.100.10
RequestURI: /otrs/index.pl
Traceback (7980):
Module: Kernel::System::Crypt::SMIME::CertificateAdd (OTRS 3.2. Line: 571
Module: Kernel::Modules::AdminSMIME::Run (OTRS 3.2. Line: 181
Module: Kernel::System::Web::InterfaceAgent::Run (OTRS 3.2. Line: 863
Module: PerlEx::Precompiler::c_::program20files2028x8629::otrs::otrs::bin::cgi2dbin::index_pl::__ANON__ (unknown version) Line: 41
Module: (eval) (unknown version) Line: 458
Module: PerlEx::Precompiler::Execute (unknown version) Line: 458
They are already there from the beginning.
I see in Perl log this when I try to import it in OTRS:
*** 'C:\Program Files (x86)\OTRS\OTRS\bin\cgi-bin\index.pl' log message at: 2013/12/04 11:27:45
ERROR: OTRS-CGI-10 Perl: 5.16.3 OS: MSWin32 Time: Wed Dec 4 11:25:42 2013
Message: Can't add invalid certificate!
RemoteAddress: 192.168.100.10
RequestURI: /otrs/index.pl
Traceback (7980):
Module: Kernel::System::Crypt::SMIME::CertificateAdd (OTRS 3.2. Line: 571
Module: Kernel::Modules::AdminSMIME::Run (OTRS 3.2. Line: 181
Module: Kernel::System::Web::InterfaceAgent::Run (OTRS 3.2. Line: 863
Module: PerlEx::Precompiler::c_::program20files2028x8629::otrs::otrs::bin::cgi2dbin::index_pl::__ANON__ (unknown version) Line: 41
Module: (eval) (unknown version) Line: 458
Module: PerlEx::Precompiler::Execute (unknown version) Line: 458
OTRS 3.2.8 on Windows Server 2008 R2 + MS SQL 2008 R2 Database and IIS.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: Need help with OTRS and S/MIME
"Can't add invalid certificate!" is because the certificate is not returning the values sought
..
test it from a command line:
It should show something like:
4c83e869
issuer= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
SHA1 Fingerprint=54:CA:6A:BB:A2:16:39:24:6D:07:6F:A8:A5:9D:46:4B:8C:6C:5B:EF
serial=B197069090D80906
subject= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
notBefore=Aug 28 23:45:07 2010 GMT
notAfter=Aug 25 23:45:07 2020 GMT
user@domain
Modulus=B75926101EDFF50BD0B4CD3DBAC66CC0F8B7357ECE2BE20A6FE56DCB74389DA05CD855C93883F727010FBADF03501CC4BECE0935DE0A8653DF8F5728AA8C298DA85669241B8DC50752277A3D0B3836348DFA0F247D84B6BBCF73D32AE2C04CCF163BE76196606C4BD6F3ECA65FD227788B931F721E6D679B7F0B1CC5E6BF6797
If it does not, OTRS won't be able to handle the certificate.
---
For "Need Certificate of Private Key first -$Attributes{Modulus})!":
This arrives after searching the folder CertPath for files *.0 through *.9 (CertificateList) (Basically, a certificate for the certificate authority that provided the private key.)
You could just add it manually if you want, but you do need to have your certificate authority certificate in CertPath and it needs (may need?) to have (one of) a .0 through .9 added to the filename in order to be read:
---
Summary: your Private key can't be loaded because the Certificate Authority isn't available to check the Private key.
Your public key can't be loaded because (maybe?) it can't be read properly.
..
test it from a command line:
Code: Select all
openssl x509 -in YOURFILENAME.CRT -noout -subject_hash -issuer -fingerprint -sha1 -serial -subject -startdate -enddate -email -modulus
It should show something like:
4c83e869
issuer= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
SHA1 Fingerprint=54:CA:6A:BB:A2:16:39:24:6D:07:6F:A8:A5:9D:46:4B:8C:6C:5B:EF
serial=B197069090D80906
subject= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
notBefore=Aug 28 23:45:07 2010 GMT
notAfter=Aug 25 23:45:07 2020 GMT
user@domain
Modulus=B75926101EDFF50BD0B4CD3DBAC66CC0F8B7357ECE2BE20A6FE56DCB74389DA05CD855C93883F727010FBADF03501CC4BECE0935DE0A8653DF8F5728AA8C298DA85669241B8DC50752277A3D0B3836348DFA0F247D84B6BBCF73D32AE2C04CCF163BE76196606C4BD6F3ECA65FD227788B931F721E6D679B7F0B1CC5E6BF6797
If it does not, OTRS won't be able to handle the certificate.
---
For "Need Certificate of Private Key first -$Attributes{Modulus})!":
This arrives after searching the folder CertPath for files *.0 through *.9 (CertificateList) (Basically, a certificate for the certificate authority that provided the private key.)
You could just add it manually if you want, but you do need to have your certificate authority certificate in CertPath and it needs (may need?) to have (one of) a .0 through .9 added to the filename in order to be read:
Code: Select all
sub CertificateList {
my ( $Self, %Param ) = @_;
my @CertList;
my @Filters;
for my $Number ( 0 .. 9 ) {
push @Filters, "*.$Number";
}
my @List = $Self->{MainObject}->DirectoryRead(
Directory => "$Self->{CertPath}",
Filter => \@Filters,
);
Summary: your Private key can't be loaded because the Certificate Authority isn't available to check the Private key.
Your public key can't be loaded because (maybe?) it can't be read properly.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: Need help with OTRS and S/MIME
Hello!
I'm sorry but it doesn't' work.
I run this command
(only in my case it was YOURFILENAME.CER, not CRT.
And I see in file really smth like this
I'am at a deadlock.
I'm sorry but it doesn't' work.
I run this command
Code: Select all
openssl x509 -in YOURFILENAME.CRT -noout -subject_hash -issuer -fingerprint -sha1 -serial -subject -startdate -enddate -email -modulus
And I see in file really smth like this
But when I try to add certificate - I get the same error "Can't add invalid certificate!"4c83e869
issuer= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
SHA1 Fingerprint=54:CA:6A:BB:A2:16:39:24:6D:07:6F:A8:A5:9D:46:4B:8C:6C:5B:EF
serial=B197069090D80906
subject= /C=US/ST=State/L=City/O=My Computer/CN=My Name/emailAddress=user@domain
notBefore=Aug 28 23:45:07 2010 GMT
and so on
I'am at a deadlock.
OTRS 3.2.8 on Windows Server 2008 R2 + MS SQL 2008 R2 Database and IIS.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: Need help with OTRS and S/MIME
Kernel/System/Crypt/SMIME.pm:
This is all it says:
sub CertificateAttributes says, basically, read attributes, determine if this is a private cert, and return them. It calls:
sub _FetchAttributesFromCert
For fun and logging, let's add a Log entry after my $Output
add other logs where you see fit.
Also, I might point out that 3.2.8 is five versions behind the most recent release, and fixes a lot of bugs
Can we verify C:/PROGRA~2/GnuWin32/bin/openssl.exe is the proper path for openssl?
This is all it says:
Code: Select all
my %Attributes = $Self->CertificateAttributes( Certificate => $Param{Certificate}, );
my %Result;
if ( !$Attributes{Hash} ) { #If no attributes are returned
$Self->{LogObject}->Log(
Priority => 'error',
Message => 'Can\'t add invalid certificate!'
);
%Result = (
Successful => 0,
Message => 'Can\'t add invalid certificate!',
);
return %Result;
}
sub _FetchAttributesFromCert
For fun and logging, let's add a Log entry after my $Output
Code: Select all
my $Output = qx{$Self->{Cmd} $Options 2>&1};
$Self->{LogObject}->Log( Priority => 'info', Message => "Result of \$Output\n$Output" );
Also, I might point out that 3.2.8 is five versions behind the most recent release, and fixes a lot of bugs
Can we verify C:/PROGRA~2/GnuWin32/bin/openssl.exe is the proper path for openssl?
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: Need help with OTRS and S/MIME
Good Day!
Crythias, I added extra logging in PM file, now I see in log:
[Mon Dec 9 15:53:52 2013][Error][Kernel::System::Crypt::SMIME::_FetchAttributesFromCert][1686] Result of $Output
"HOME" is not recognized as an internal or external command, operable program or batch file.
Where should I point "HOME" variable ?
I set it here (in Config.PM):
# S/MIME settings (supports smime)
$Self->{SMIME} =1;
# maybe openssl need a HOME env!
$ENV{HOME} = 'C:/PROGRA~2/GnuWin32/bin';
$Self->{'SMIME::Bin'} = 'C:/PROGRA~2/GnuWin32/bin';
$Self->{'SMIME::CertPath'} = 'C:/PROGRA~2/OTRS/OTRS/ssl/certs';
$Self->{'SMIME::PrivatePath'} = 'C:/PROGRA~2/OTRS/OTRS/ssl/private';
But error is the same.
In the begining of Config.PM I have this:
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = 'C:/PROGRA~2/OTRS/OTRS';
Where should I set "HOME" variable else ?
Crythias, I added extra logging in PM file, now I see in log:
[Mon Dec 9 15:53:52 2013][Error][Kernel::System::Crypt::SMIME::_FetchAttributesFromCert][1686] Result of $Output
"HOME" is not recognized as an internal or external command, operable program or batch file.
Where should I point "HOME" variable ?
I set it here (in Config.PM):
# S/MIME settings (supports smime)
$Self->{SMIME} =1;
# maybe openssl need a HOME env!
$ENV{HOME} = 'C:/PROGRA~2/GnuWin32/bin';
$Self->{'SMIME::Bin'} = 'C:/PROGRA~2/GnuWin32/bin';
$Self->{'SMIME::CertPath'} = 'C:/PROGRA~2/OTRS/OTRS/ssl/certs';
$Self->{'SMIME::PrivatePath'} = 'C:/PROGRA~2/OTRS/OTRS/ssl/private';
But error is the same.
In the begining of Config.PM I have this:
# fs root directory
# ---------------------------------------------------- #
$Self->{Home} = 'C:/PROGRA~2/OTRS/OTRS';
Where should I set "HOME" variable else ?
OTRS 3.2.8 on Windows Server 2008 R2 + MS SQL 2008 R2 Database and IIS.
Re: Need help with OTRS and S/MIME
I'd like to add - I have a file otrs.log.error - it is full of records:
And every time I try to add certificate one record adds."HOME" is not recognized as an internal or external command, operable program or batch file.
OTRS 3.2.8 on Windows Server 2008 R2 + MS SQL 2008 R2 Database and IIS.
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: Need help with OTRS and S/MIME
Please edit your signature. I'm having trouble remembering what your OTRS version is.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
-
- Moderator
- Posts: 10169
- Joined: 04 May 2010, 18:38
- Znuny Version: 5.0.x
- Location: SouthWest Florida, USA
- Contact:
Re: Need help with OTRS and S/MIME
only in SMIME.pm:
I *think* this is a bug/not applicable to Windows.
I can't confirm it, but you might want to comment those two lines.
Code: Select all
$Self->{Cmd}
= "HOME=" . $Self->{ConfigObject}->Get('Home') . " RANDFILE=$ENV{RANDFILE} $Self->{Cmd}";
I can't confirm it, but you might want to comment those two lines.
OTRS 6.0.x (private/testing/public) on Linux with MySQL database.
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Please edit your signature to include your OTRS version, Operating System, and database type.
Click Subscribe Topic below to get notifications. Consider amending your topic title to include [SOLVED] if it is so.
Need help? Before you ask
Re: Need help with OTRS and S/MIME
Good Day!
Crythias, thank you a lot - a great work.
I commented these lines in SMIME.pm and "wooow!" I successfully imported open certificate for my helpdesk e-mail and for CA.
After this I successfully imported secret key for helpdesk e-mail.
And now when I receive signed e-mail - I can read it in OTRS normally.
But when I receive signed and crypted e-mail - we cannot read it - in OTRS interface we see an error:
"Impossible to decrypt: private key for email was not found!"
What does it means ? Should we point imported secret key exactly for e-mail somewhere ?
Crythias, thank you a lot - a great work.
I commented these lines in SMIME.pm and "wooow!" I successfully imported open certificate for my helpdesk e-mail and for CA.
After this I successfully imported secret key for helpdesk e-mail.
And now when I receive signed e-mail - I can read it in OTRS normally.
But when I receive signed and crypted e-mail - we cannot read it - in OTRS interface we see an error:
"Impossible to decrypt: private key for email was not found!"
What does it means ? Should we point imported secret key exactly for e-mail somewhere ?
OTRS 3.2.8 on Windows Server 2008 R2 + MS SQL 2008 R2 Database and IIS.