Provide Self Signed Certificate to SquirrelMail

This section provides a tutorial example on how to provide download self-signed certificate from mail server and provide it SquirrelMail as a trusted certificate to resolve the invalid certificate error.

Continuing from the previous tutorial, let's find a way to allow SquirrelMail accepting the self signed certificate used by a remote mail server.

1. Download the self signed certificate from the remote IMAPS server.

herong$ openssl s_client -connect

depth=0 ..., CN =, ...
verify error:num=18:self signed certificate
Server certificate

2. Save the above certificate in a file, 192-168-1-100.crt. We need to provide it the PHP environment as a trusted certificate in 3 possible ways:

3. Run another PHP function call to find out how to PHP is searching for CA certificates.

herong$ php -r "print_r(openssl_get_cert_locations());"
  [default_cert_file] => /etc/pki/tls/cert.pem
  [default_cert_file_env] => SSL_CERT_FILE
  [default_cert_dir] => /etc/pki/tls/certs
  [default_cert_dir_env] => SSL_CERT_DIR
  [default_private_dir] => /etc/pki/tls/private
  [default_default_cert_area] => /etc/pki/tls
  [ini_cafile] =>
  [ini_capath] =>

4. Look at the first entry, /etc/pki/tls/cert.pem, in above searched locations. It has 136 CA certificates.

herong$ ls -l /etc/pki/tls/cert.pem

lrwxrwxrwx. 1 root root 49 Aug 12  2020 /etc/pki/tls/cert.pem ->

herong$ grep BEGIN cert.pem | wc
  136     274    3836

5. Add the self signed certificate to the end of /etc/pki/tls/cert.pem. And run the simulation code again. I do not see any errors. That is good.

herong$ su
# cat 192-168-1-100.crt >> /etc/pki/tls/cert.pem
# exit

herong$ php -r 'fsockopen("tls://", 993, $errno, $errmsg, 5);'

6. Run SquirrelMail test script again. I see no errors. SquirrelMail is accepting the self signed certificate now.

herong$ firefox http://localhost/mailx/src/configtest.php

Checking IMAP service....
    IMAP server ready (* OK [CAPABILITY IMAP4rev1 SASL-IR ...

7. Log in to SquirrelMail Webmail in a Web browser. I can retrieve emails from the mail server.

herong$ firefox http://localhost/mailx

Please also notice that:

1. It seems to me that if "default_cert_file" is provided, PHP OpenSSL will not look at "default_cert_dir" for CA certificates.

2. There is a config.php example from SquirrelMail Website that suggests to use $imap_stream_options to provide self-signed certificates. But this setting is not support in the SquirrelMail 1.4.22 stable version. This could be a new feature in newer version.

* $imap_stream_options = array(
*     'ssl' => array(
*         'cafile' => '/etc/pki/tls/certs/ca-bundle.crt',
*         'verify_peer' => true,
*         'verify_depth' => 3,
*     ),
* );

Table of Contents

 About This Book

 Introduction to Linux Systems

 Process Management

 Files and Directories

 Running Apache HTTP Server (httpd) on Linux Systems

 Running Apache Tomcat on Linux Systems

 Running PHP Scripts on Linux Systems

 Running MySQL Database Server on Linux Systems

 Running Python Scripts on Linux Systems

 Conda - Environment and Package Manager

 GCC - C/C++ Compiler

 OpenJDK - Open-Source JDK

 Graphics Environments on Linux

SquirrelMail - Webmail in PHP

 SquirrelMail Webmail Installation on CentOS

 SquirrelMail Configuration on CentOS

 SquirrelMail for Mail Server on Local Network

 SquirrelMail Configuration for IMAPS Port 993

Provide Self Signed Certificate to SquirrelMail

 SquirrelMail Configuration for SMTPS Port 465

 SquirrelMail Configuration for QQ Mail

 Tools and Utilities


 Full Version in PDF/EPUB