Date: Mon, 11 May 2015 11:01:40 -0400 From: Ernie Luzar <luzar722@gmail.com> To: Jon Radel <jon@radel.com> Cc: freebsd-questions@freebsd.org Subject: Re: Certificate error Message-ID: <5550C454.60202@gmail.com> In-Reply-To: <55501D92.2020102@radel.com> References: <554FC878.7070401@gmail.com> <55501D92.2020102@radel.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jon Radel wrote: > On 5/10/15 5:07 PM, Ernie Luzar wrote: >> Hello list; >> Been trying to setup qpopper to use TLS. >> I am stuck at getting a self signed certificate to work. >> Running fetchmail on the host to get a good log of what is really >> happening >> as shown below. After that list is the script I use to build the >> certificates. >> Maybe some one can seen what I am doing wrong in the build cert script >> based on the errors shown in the fetchmail list.. >> Thanks > A self-signed certificate and a certificate signed by your own CA > aren't even remotely the same thing; I'm confused as to what you're > trying to actually do. The list of openssl commands you give > shouldn't result in a self-signed certificate. See section 4 of > http://www.openssl.org/docs/HOWTO/certificates.txt for the incantation > for a self-signed certificate. What I am trying to do is get TLS working on my pop3 qpopper server without paying for a official ca cert. I have tried both the self-signed certificate method which I posted as part of the original post and a certificate signed by my own CA using CA.pl script both with no joy. I edited the openssl.cnf file to default to the correct values for the items it prompts you for so I always get the same values. > >> >> >> fetchmail: Server certificate verification error: self signed >> certificate >> fetchmail: Missing trust anchor certificate: >> >> > As a result, I'm kind of confused as to why fetchmail is complaining > about a missing trust anchor for a self-signed certificate. But that > does lead to the question: Did you install the CA certificate, > CA.cert, where fetchmail will use it for verifying certificates? You > should also realize that if you want to use your own CA, you're much > better off not creating a new one willy-nilly, as you need to install > the CA cert for every client which you want to actually verify the > certificates signed by that CA. See > http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.html > for more. Fetchmail is being used as a diagnostic tool. Fetchmail will follow how a pop3 server is configured and in my case I am trying to test my pop3 qpopper server for TLS. From the original post posted fetchmail log you see that the pop3 server is offering STLS. This is what I am expecting. Then the log shows the certs are missing a anchor point. The posted cert build script is not some thing I pulled out of the air or something I make up as a guess. I have a few different combinations of openssl command sequences form different articles I read on the internet and all of them get the same error. I just point qpopper to use the key & cert files made separately by openssl commands. What sequence of openssl commands do you suggest I use?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5550C454.60202>