Certificate error
Jon Radel
jon at radel.com
Mon May 11 19:40:45 UTC 2015
On 5/11/15 11:01 AM, Ernie Luzar wrote:
>
>>>
>>>
>>> fetchmail: Server certificate verification error: self signed
>>> certificate
>>> fetchmail: Missing trust anchor certificate:
>>>
>>>
>> As a result, I'm kind of confused as to why fetchmail is complaining
>> about a missing trust anchor for a self-signed certificate. But that
>> does lead to the question: Did you install the CA certificate,
>> CA.cert, where fetchmail will use it for verifying certificates? You
>> should also realize that if you want to use your own CA, you're much
>> better off not creating a new one willy-nilly, as you need to install
>> the CA cert for every client which you want to actually verify the
>> certificates signed by that CA. See
>> http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.html
>> for more.
> Fetchmail is being used as a diagnostic tool. Fetchmail will follow
> how a pop3 server is configured and in my case I am trying to test my
> pop3 qpopper server for TLS. From the original post posted fetchmail
> log you see that the pop3 server is offering STLS. This is what I am
> expecting. Then the log shows the certs are missing a anchor point.
Hence my question as to whether you installed the CA.cert for
fetchmail. Which you appear to have not answered. Nor do you seem to
have read the reference on the fetchmail mailing list that addresses how
to either make fetchmail less picky about certificates or install the CA
root certificate.
> The posted cert build script is not some thing I pulled out of the air
> or something I make up as a guess.
Never said you were. I did point out that you were showing commands to
sign a certificate with your own CA in an e-mail where you were
complaining about being unable to get a self-signed certificate to
work. If you're mixing and matching bits and pieces of different
experiments in the same question, this rapidly becomes even more of a
futile exercise than it already is.
> I have a few different combinations of openssl command sequences form
> different articles I read on the internet and all of them get the same
> error. I just point qpopper to use the key & cert files made
> separately by openssl commands.
Yeah, but the last little bit of logging doesn't have qpopper the least
bit upset so far as I can tell; it's got fetchmail upset. What does
fetchmail have installed?
> What sequence of openssl commands do you suggest I use?
>
Alas, alack, I find it hard to care; either type of certificate can be
made to work with differing tradeoffs. Personally I simply use
https://www.cacert.org when I need a free certificate in a place where I
control the clients. But if you go that route, YOU STILL NEED TO
INSTALL THE CA'S ROOT CERTIFICATES FOR FETCHMAIL! I would suggest you
search for a tutorial on how TLS works that you're comfortable with and
study it with care.
In any case, this:
> fetchmail: POP3< STLS
> fetchmail: POP3< .
> fetchmail: POP3> STLS
> fetchmail: POP3< +OK STLS
> fetchmail: Server certificate:
> fetchmail: Issuer Organization: Powerman
> fetchmail: Issuer CommonName: pop.powerman.com
> fetchmail: Subject CommonName: pop.powerman.com
> fetchmail: pop.a1poweruser.com key fingerprint:
> 51:EC:3E:14:EA:E0:A9:97:1F:9F:D9:30:35:72:44:EA
>
> fetchmail: Server certificate verification error: self signed certificate
> fetchmail: Missing trust anchor certificate:
makes me think you may have a certificate installed just fine on qpopper
and are simply ignoring that the default behavior of fetchmail is to be
very picky about certificates. In other words, you may be abusing your
diagnostic tool something terrible, and results with your actual
client(s) may be completely different, depending on how they feel about
using TLS for verification as opposed to for *only* encryption.
Read http://www.fetchmail.info/fetchmail-FAQ.html#K5 for more.
--Jon Radel
jon at radel.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3870 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150511/6f567d8b/attachment.bin>
More information about the freebsd-questions
mailing list