View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006117SOGoWeb Mailpublic2025-04-23 09:042025-04-24 07:44
Reporterlitauer Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSUbuntuOS Version16.04 LTS
Product Version5.11.2 
Summary0006117: unable to verify message signature
Description

It's not really a bug, I think. But I am not able to find any documentation about how to add a root ca certificate to sogo so that sogo is able to validate a signature.

We get our certificates from harica.gr.
/etc/ssl/certs contains
HARICA_TLS_ECC_Root_CA_2021.pem
HARICA_TLS_RSA_Root_CA_2021.pem

Receiving a signed email leads to "unable to verify message signature". Issuer of the signature is
Organisation: Hellenic Academic and Research Institutions CA
Common Name: HARICA S/MIME RSA

So the signature should be shown as valid. Maybe I have to add the Harica-Certs to a sogo-keystore?

Steps To Reproduce

Send a s/mime signed email signed with a HARICA-issued certificate.

TagsNo tags attached.

Activities

qhivert

qhivert

2025-04-23 09:26

administrator   ~0018194

Hello,
SOGo uses openssl. So I'm guessing just install your certificates according to your OS guideline and test it with openssl? I've never done it myself so this is just a guess.
schmirl

schmirl

2025-04-24 07:09

reporter   ~0018196

The "HARICA TLS" CAs are the root CAs for Webserver certificates. The root CAs for S/MIME certificates are the "HARICA Client" CAs.

As many CAs use different root CAs for TLS and S/MIME, it is important to install a certificate bundle with the CAs used for issuing certificates with purpose "Email Protection". curl comes with a tool for this:
https://curl.se/docs/mk-ca-bundle.html

We use the following command:
mk-ca-bundle.pl -d nss -p EMAIL_PROTECTION:TRUSTED_DELEGATOR ca-bundle-mail.crt
litauer

litauer

2025-04-24 07:25

reporter   ~0018197

Thanks a lot for your answers. We solved our problem by downloading and importing the Client CAs to our server.

Issue History

Date Modified Username Field Change
2025-04-23 09:04 litauer New Issue
2025-04-23 09:26 qhivert Note Added: 0018194
2025-04-23 09:26 qhivert Assigned To => qhivert
2025-04-23 09:26 qhivert Status new => feedback
2025-04-24 07:09 schmirl Note Added: 0018196
2025-04-24 07:25 litauer Note Added: 0018197
2025-04-24 07:25 litauer Status feedback => assigned
2025-04-24 07:44 qhivert Status assigned => resolved
2025-04-24 07:44 qhivert Resolution open => fixed