From owner-freebsd-questions@FreeBSD.ORG Mon May 11 19:40:45 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B56693CF for ; Mon, 11 May 2015 19:40:45 +0000 (UTC) Received: from fly.radel.com (fly.radel.com [70.184.242.170]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2C8A71058 for ; Mon, 11 May 2015 19:40:44 +0000 (UTC) X-CGP-ClamAV-Result: CLEAN X-VirusScanner: Niversoft's CGPClamav Helper v1.18.5 (ClamAV engine v0.98.5) Received: from [2001:470:880a:4389:bc51:271e:368b:604b] (account jon@radel.com HELO gravenstein.local) by radel.com (CommuniGate Pro SMTP 6.0.11 _community_) with ESMTPSA id 657248 for freebsd-questions@freebsd.org; Mon, 11 May 2015 19:40:43 +0000 Message-ID: <555105BA.4010702@radel.com> Date: Mon, 11 May 2015 15:40:42 -0400 From: Jon Radel User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Certificate error References: <554FC878.7070401@gmail.com> <55501D92.2020102@radel.com> <5550C454.60202@gmail.com> In-Reply-To: <5550C454.60202@gmail.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070004020104070304070409" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2015 19:40:45 -0000 This is a cryptographically signed message in MIME format. --------------ms070004020104070304070409 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable On 5/11/15 11:01 AM, Ernie Luzar wrote: > >>> >>> >>> fetchmail: Server certificate verification error: self signed=20 >>> certificate >>> fetchmail: Missing trust anchor certificate: >>> >>> >> As a result, I'm kind of confused as to why fetchmail is complaining=20 >> about a missing trust anchor for a self-signed certificate. But that = >> does lead to the question: Did you install the CA certificate,=20 >> CA.cert, where fetchmail will use it for verifying certificates? You=20 >> should also realize that if you want to use your own CA, you're much=20 >> better off not creating a new one willy-nilly, as you need to install = >> the CA cert for every client which you want to actually verify the=20 >> certificates signed by that CA. See=20 >> http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.ht= ml=20 >> for more. > Fetchmail is being used as a diagnostic tool. Fetchmail will follow=20 > how a pop3 server is configured and in my case I am trying to test my=20 > pop3 qpopper server for TLS. From the original post posted fetchmail=20 > log you see that the pop3 server is offering STLS. This is what I am=20 > expecting. Then the log shows the certs are missing a anchor point.=20 Hence my question as to whether you installed the CA.cert for=20 fetchmail. Which you appear to have not answered. Nor do you seem to=20 have read the reference on the fetchmail mailing list that addresses how = to either make fetchmail less picky about certificates or install the CA = root certificate. > The posted cert build script is not some thing I pulled out of the air = > or something I make up as a guess.=20 Never said you were. I did point out that you were showing commands to=20 sign a certificate with your own CA in an e-mail where you were=20 complaining about being unable to get a self-signed certificate to=20 work. If you're mixing and matching bits and pieces of different=20 experiments in the same question, this rapidly becomes even more of a=20 futile exercise than it already is. > I have a few different combinations of openssl command sequences form = > different articles I read on the internet and all of them get the same = > error. I just point qpopper to use the key & cert files made=20 > separately by openssl commands.=20 Yeah, but the last little bit of logging doesn't have qpopper the least=20 bit upset so far as I can tell; it's got fetchmail upset. What does=20 fetchmail have installed? > What sequence of openssl commands do you suggest I use? > Alas, alack, I find it hard to care; either type of certificate can be=20 made to work with differing tradeoffs. Personally I simply use=20 https://www.cacert.org when I need a free certificate in a place where I = control the clients. But if you go that route, YOU STILL NEED TO=20 INSTALL THE CA'S ROOT CERTIFICATES FOR FETCHMAIL! I would suggest you=20 search for a tutorial on how TLS works that you're comfortable with and=20 study it with care. In any case, this: > fetchmail: POP3< STLS > fetchmail: POP3< . > fetchmail: POP3> STLS > fetchmail: POP3< +OK STLS > fetchmail: Server certificate: > fetchmail: Issuer Organization: Powerman > fetchmail: Issuer CommonName: pop.powerman.com > fetchmail: Subject CommonName: pop.powerman.com > fetchmail: pop.a1poweruser.com key fingerprint:=20 > 51:EC:3E:14:EA:E0:A9:97:1F:9F:D9:30:35:72:44:EA > > fetchmail: Server certificate verification error: self signed certifica= te > fetchmail: Missing trust anchor certificate: makes me think you may have a certificate installed just fine on qpopper = and are simply ignoring that the default behavior of fetchmail is to be=20 very picky about certificates. In other words, you may be abusing your=20 diagnostic tool something terrible, and results with your actual=20 client(s) may be completely different, depending on how they feel about=20 using TLS for verification as opposed to for *only* encryption. Read http://www.fetchmail.info/fetchmail-FAQ.html#K5 for more. --Jon Radel jon@radel.com --------------ms070004020104070304070409 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKrzCC BK8wggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV BAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJu YWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcN MTQxMjIyMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNh dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAibEN2npTGU5wUh28VqYGJre4SeCW51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2 IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JDFnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9 KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUIkzqcKlOjENs9IGE8VQOO2U52JQIhKfqj fHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7AzaS1D6/rWpfGXd2dRjNnuJ+u8pQc4 doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZAP8vk4p+iIQIDAQABo4IBFzCC ARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYDVR0OBBYEFJJha4LhoqCq T+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0w OzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJv b3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy dXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOc Uvi7BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc0 6HvgARClnMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLK hjQHuSzK5hxK2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6 H3kU9koQGib6fIr7mzCCBfgwggTgoAMCAQICEHNU5Tx9a7TNDWBpDfzOARswDQYJKoZIhvcN AQELBQAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhD T01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBD QTAeFw0xNTAzMzAwMDAwMDBaFw0xODAzMjkyMzU5NTlaMIH6MQswCQYDVQQGEwJVUzEOMAwG A1UEERMFMjIxNTAxCzAJBgNVBAgTAlZBMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDEaMBgGA1UE CRMRNjkxNyBSaWRnZXdheSBEci4xFTATBgNVBAoTDEpvbiBULiBSYWRlbDEyMDAGA1UECxMp SXNzdWVkIHRocm91Z2ggSm9uIFQuIFJhZGVsIEUtUEtJIE1hbmFnZXIxHzAdBgNVBAsTFkNv cnBvcmF0ZSBTZWN1cmUgRW1haWwxEjAQBgNVBAMTCUpvbiBSYWRlbDEcMBoGCSqGSIb3DQEJ ARYNam9uQHJhZGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN7VG2H2 FtCpo4Of74Ll1UBAf2czZUfeg9rNm587CYgbZJcj+/c+56ZxBDcmSGalDTqBizPJduRMIuyq 8R9qViPzWN238rmVPhpV2PQt8khbJNxT3lXauwK4exK+f8+chywS1eDnesK2pLgQ60n27etj aE/xgKLLPXJjeaficomz3cwcbgCRdi5WnN9ogAMRNxWsD6trO9cR+cMldcNln1m65XXTrIii 86+FhZKVpW7yetIcmNcVkjYhfCAh5UGgyKHfK7osuPXgj9h1nSsgDwr5Q0H41bpGLe7AdcFu viOHdmqSuohVSt/VV7JuF2slx2pd0w0eMoNKUKhrFhFsvLUCAwEAAaOCAdUwggHRMB8GA1Ud IwQYMBaAFJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBTP1gHXRYR8E0eyRHCj/S+H yppC7DAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD BAYIKwYBBQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwUwKzApBggrBgEFBQcCARYd aHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDov L2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRT ZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwWAYIKwYBBQUHMAKGTGh0dHA6 Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5k U2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv bTAYBgNVHREEETAPgQ1qb25AcmFkZWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBLU976AGA/ 5JD9rkjl7vNfRGDQOEffvwseVmLEmBLot8I8vZ50oxRCLdOH0Zd8uN17J5a4xajP3blnMEdw /CQF4f6Iz8ASG7QOGLSSin+nrqD20Q8lRn8oOyrF100OsPRPKmff/fekdOMkQOrJ3MCDAHQ2 fxuWkxupLBP6PzC49qR8uyPVxIPNetMsuyYhAHtq4DJphd1bJbxirDffqstQK+M5R+eo47KN WyJ5PD/Q8ug4clobJ7P5W1Xh7KLqnVI2JffYD5+/EEzMpAsKiQTjdxci1z06TOr/9/Z+68an Xuvyambg6OMzkTaTCyD1sE9QExHj+zGiwpUufSj2vGWjMYIEMTCCBC0CAQEwgbAwgZsxCzAJ BgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1 NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQc1TlPH1rtM0N YGkN/M4BGzAJBgUrDgMCGgUAoIICVTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG SIb3DQEJBTEPFw0xNTA1MTExOTQwNDJaMCMGCSqGSIb3DQEJBDEWBBQKUNnQTxRYO+ehgKQ9 Yv5tVB/4kzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYI KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqG SIb3DQMCAgEoMIHBBgkrBgEEAYI3EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQI ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E TyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGlj YXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQc1TlPH1rtM0NYGkN/M4BGzCBwwYLKoZIhvcN AQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0 ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYD VQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBF bWFpbCBDQQIQc1TlPH1rtM0NYGkN/M4BGzANBgkqhkiG9w0BAQEFAASCAQBLaaxOWAIeEl9a LCPd/ncaSExwc7kO0qCtA1sZhBlhO2jAzb/rJpwPIJhATjm97fg3tQNoXtdYiTElkt0mCaRb k7McllPconnrcP2+kJTIILwKHMdxbfOexbgAThbKw4qgFxoh/K8VefB3Bc+LoD8guYpqB8+h xq4RBd984xCVCBTlMiJL0s52w4mpgMPnTlfdSB4BqOtcrpMM3cVhryHlnv1nvbniCZM9GnkZ wNehNbZHWBjmeW/euhiRzy6CKzvd7GyRx7pjKh0UhwGFbk3Bh8Dk1pbeEgf82NOl3J/UEOkF dEC9YGp0ncTnqIpW9sKZCxaN+nBLWpbqdgoxP4dIAAAAAAAA --------------ms070004020104070304070409--