From owner-freebsd-questions@FreeBSD.ORG Wed Sep 8 15:34:34 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F18A16A4CE for ; Wed, 8 Sep 2004 15:34:34 +0000 (GMT) Received: from prime.gushi.org (prime.gushi.org [65.125.228.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3128F43D1D for ; Wed, 8 Sep 2004 15:34:34 +0000 (GMT) (envelope-from danm@prime.gushi.org) Received: from localhost (danm@localhost.com [127.0.0.1] (may be forged)) by prime.gushi.org (8.13.1/8.13.1) with ESMTP id i88FdXnk010406 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 8 Sep 2004 11:41:24 -0400 (EDT) Date: Wed, 8 Sep 2004 11:39:32 -0400 (EDT) From: "Dan Mahoney, System Admin" To: questions@freebsd.org Message-ID: <20040908113056.X4661@prime.gushi.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: default directory for certs X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Sep 2004 15:34:34 -0000 Hey all, I recently upgraded my mail server using sendmail to use full StartTLS/SSL, using a "real" (geotrust) certificate. However, pine complains loudly at me that it cannot verify the certificate. A quick google search on the error yielded this page: https://email.mtu.edu/docs/public/pine_ssl/ Now, the directions are straightforward enough, but I can't find the certs directory. A quick "locate" yields a bunch in /usr/src/crypto/openssl/certs, but nothing in a "production" directory. Are the standard root certs not installed by default? Should they be? *IF SO* What directory should I be using? The FAQ file in /usr/src/crypto/openssl has this to say: * Why does fail with a certificate verify error? This problem is usually indicated by log messages saying something like "unable to get local issuer certificate" or "self signed certificate". When a certificate is verified its root CA must be "trusted" by OpenSSL this typically means that the CA certificate must be placed in a directory or file and the relevant program configured to read it. The OpenSSL program 'verify' behaves in a similar way and issues similar error messages: check the verify(1) program manual page for more information. However, the verify man page isn't in the default manpath, either. -- "this is too stupid even for irc" -mtreal, EFnet #macintosh, 09/15/2K, 12:33 AM --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------