SSL certificate renewal
Kelly from the data center informs us all, take notice:
Our current “mail.dreamhost.com” certificate used by most of you for SSL email is up for renewal on Friday! We will be replacing it with a newer, better certificate with the name:
*.mail.dreamhost.com
It is also signed by an internal certificate authority, “New Dream Network Certificate Authority”. This means two things! First, most of you will get a popup saying “This certificate is new and untrusted! The world is ending!”. If you press CANCEL the connection will not go through, and you will have a chance to install our NDN CA certificate into your email client. This will allow your computer to trust us!
http://wiki.dreamhost.com/NDN_Certificate <—-<<< link to installation instructions in our Wiki
https://dreamhost.com/ca/ndn.ca.crt <—-<<< link to certificate file data
If you have any problems, please do not hesitate to contact us! This should make your email client not pop up a warning about how the certificate is from an untrusted or unknown certificate authority. This is different from the next (usual) warning about the certificate name not matching the host you are connecting to!
To get rid of the host mis-match error, all you need to do is head on over to https://panel.dreamhost.com/ and log in. In the upper right, click the link that says “Account Status”, then make note of your “email server”. You will want to edit your IMAP, POP, and SMTP servers to be something along the lines of:
a1.balanced.email-server.mail.dreamhost.com
For Example: a1.balanced.spunky.mail.dreamhost.com
Thats it! No more annoying popup windows when using SSL! It is now more secure than previously.
FAQ:
1. Why don’t these instructions work for apple mail?
-It seems there is a bug in apple mail. It does not properly use wildcard certificates. (*.mail.dreamhost.com should match any “word.mail.dreamhost.com”.) We will be contacting them on Monday regarding this issue. Remember, it’s not worse than it was previously!
2. Why not get a REAL certificate signed by VeriSign?
-This is a REAL certificate, and the SSL works just the same.
3. I don’t trust you, I have too many computers to do this on, I can’t expect my clients to install that CA certificate, etc, do I have to install the NDN CA certificate?
-No! Just click to accept the *.mail.dreamhost.com certificate permanently and it shouldn’t bother you until we renew or change the certificate. Installing the CA certificate would allow us to renew the certificate transparently.
4. Why don’t you set the content-type properly on the above link?
-It’s easier to save the file to disk for importing into Thunderbird, etc, if we don’t. Otherwise IE and FireFox both try to process the certificate.
5. What are the vital stats on the new certificate?
Certificate:
Data:
Version: 1 (0×0)
Serial Number:
e8:c8:92:78:d0:05:ce:5f
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Los Angeles, O=New Dream Network, LLC, OU=Security, CN=New Dream Network Certificate Authority/emailAddress=support@dreamhost.com
Validity
Not Before: Apr 12 00:48:57 2007 GMT
Not After : Apr 9 00:48:57 2017 GMT
Subject: C=US, ST=California, L=Brea, O=Dreamhost.com, OU=Security, CN=*.mail.dreamhost.com/emailAddress=support@dreamhost.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus=E84958AF3CBFB6AA1060288E83E1B97CF75312B9EEBC194C71EB1A3A477706746134DFC
AD8539ACAA161284CA27C04E70DE479DB825E0EC1D5E0F479C380315F42D46304BE8D064458073
9A33D853A1B70CEF73C6389B09E31AA286B9031EC9CE68BEFBB8A6846E1F40AA6F34A218B5A72F
62C0A52B7B276998B909E344162FB