luzar722 at gmail.com
Mon May 11 15:01:30 UTC 2015
Jon Radel wrote:
> On 5/10/15 5:07 PM, Ernie Luzar wrote:
>> Hello list;
>> Been trying to setup qpopper to use TLS.
>> I am stuck at getting a self signed certificate to work.
>> Running fetchmail on the host to get a good log of what is really
>> as shown below. After that list is the script I use to build the
>> Maybe some one can seen what I am doing wrong in the build cert script
>> based on the errors shown in the fetchmail list..
> A self-signed certificate and a certificate signed by your own CA
> aren't even remotely the same thing; I'm confused as to what you're
> trying to actually do. The list of openssl commands you give
> shouldn't result in a self-signed certificate. See section 4 of
> http://www.openssl.org/docs/HOWTO/certificates.txt for the incantation
> for a self-signed certificate.
What I am trying to do is get TLS working on my pop3 qpopper server
without paying for a official ca cert. I have tried both the self-signed
certificate method which I posted as part of the original post and a
certificate signed by my own CA using CA.pl script both with no joy. I
edited the openssl.cnf file to default to the correct values for the
items it prompts you for so I always get the same values.
>> fetchmail: Server certificate verification error: self signed
>> fetchmail: Missing trust anchor certificate:
> As a result, I'm kind of confused as to why fetchmail is complaining
> about a missing trust anchor for a self-signed certificate. But that
> does lead to the question: Did you install the CA certificate,
> CA.cert, where fetchmail will use it for verifying certificates? You
> should also realize that if you want to use your own CA, you're much
> better off not creating a new one willy-nilly, as you need to install
> the CA cert for every client which you want to actually verify the
> certificates signed by that CA. See
> for more.
Fetchmail is being used as a diagnostic tool. Fetchmail will follow how
a pop3 server is configured and in my case I am trying to test my pop3
qpopper server for TLS. From the original post posted fetchmail log you
see that the pop3 server is offering STLS. This is what I am expecting.
Then the log shows the certs are missing a anchor point. The posted
cert build script is not some thing I pulled out of the air or something
I make up as a guess. I have a few different combinations of openssl
command sequences form different articles I read on the internet and all
of them get the same error. I just point qpopper to use the key & cert
files made separately by openssl commands. What sequence of openssl
commands do you suggest I use?
More information about the freebsd-questions