From owner-freebsd-questions@FreeBSD.ORG Mon May 11 15:01:30 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7F6B04BF for ; Mon, 11 May 2015 15:01:30 +0000 (UTC) Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4823F1E71 for ; Mon, 11 May 2015 15:01:30 +0000 (UTC) Received: by igbsb11 with SMTP id sb11so72723867igb.0 for ; Mon, 11 May 2015 08:01:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=AqNzKMV4JpXajzMJxTqNVgUrkiWxyC/L7WvJaYIZx0E=; b=O6NTnyCOKyvO9rMNtm0uR5Q9ITBHFVatov2wOBYb//5RwplmEZOtT2dI7MM6p2Ytyf onUhkKvJd5jXuUpiWzqXWFT2TkadhMKevIeyeb2y0pVcFLwYukHP99/PxmVhLqd/lKwH dOjLYPXMW+uxUTS1+G1jZ7w5L8hT8Rqq5F2k/gYIuAX/ZderkP5oCXP8KF7SoTTVvR7I XEmgVfqDOLbsgVb4znYCWp/ZcX6hqKlA0cJVD/Wlnoz+OE8cOdrPF7EmG2XUEl9adjzr qVy34cDHnzxAB1afS6X9XGKbDZi3l8zDZ+I16GKO4DNEVvBhOvDj5SSqJ7QcGZyiL8mm NTOA== X-Received: by 10.50.97.105 with SMTP id dz9mr2124668igb.49.1431356489617; Mon, 11 May 2015 08:01:29 -0700 (PDT) Received: from [10.0.10.5] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by mx.google.com with ESMTPSA id d8sm62776igl.19.2015.05.11.08.01.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 11 May 2015 08:01:28 -0700 (PDT) Message-ID: <5550C454.60202@gmail.com> Date: Mon, 11 May 2015 11:01:40 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Jon Radel CC: freebsd-questions@freebsd.org Subject: Re: Certificate error References: <554FC878.7070401@gmail.com> <55501D92.2020102@radel.com> In-Reply-To: <55501D92.2020102@radel.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2015 15:01:30 -0000 Jon Radel wrote: > On 5/10/15 5:07 PM, Ernie Luzar wrote: >> Hello list; >> Been trying to setup qpopper to use TLS. >> I am stuck at getting a self signed certificate to work. >> Running fetchmail on the host to get a good log of what is really >> happening >> as shown below. After that list is the script I use to build the >> certificates. >> Maybe some one can seen what I am doing wrong in the build cert script >> based on the errors shown in the fetchmail list.. >> Thanks > A self-signed certificate and a certificate signed by your own CA > aren't even remotely the same thing; I'm confused as to what you're > trying to actually do. The list of openssl commands you give > shouldn't result in a self-signed certificate. See section 4 of > http://www.openssl.org/docs/HOWTO/certificates.txt for the incantation > for a self-signed certificate. What I am trying to do is get TLS working on my pop3 qpopper server without paying for a official ca cert. I have tried both the self-signed certificate method which I posted as part of the original post and a certificate signed by my own CA using CA.pl script both with no joy. I edited the openssl.cnf file to default to the correct values for the items it prompts you for so I always get the same values. > >> >> >> fetchmail: Server certificate verification error: self signed >> certificate >> fetchmail: Missing trust anchor certificate: >> >> > As a result, I'm kind of confused as to why fetchmail is complaining > about a missing trust anchor for a self-signed certificate. But that > does lead to the question: Did you install the CA certificate, > CA.cert, where fetchmail will use it for verifying certificates? You > should also realize that if you want to use your own CA, you're much > better off not creating a new one willy-nilly, as you need to install > the CA cert for every client which you want to actually verify the > certificates signed by that CA. See > http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.html > for more. Fetchmail is being used as a diagnostic tool. Fetchmail will follow how a pop3 server is configured and in my case I am trying to test my pop3 qpopper server for TLS. From the original post posted fetchmail log you see that the pop3 server is offering STLS. This is what I am expecting. Then the log shows the certs are missing a anchor point. The posted cert build script is not some thing I pulled out of the air or something I make up as a guess. I have a few different combinations of openssl command sequences form different articles I read on the internet and all of them get the same error. I just point qpopper to use the key & cert files made separately by openssl commands. What sequence of openssl commands do you suggest I use?