FreeBSD Mail Archives

Date:      Mon, 11 May 2015 15:40:42 -0400
From:      Jon Radel <jon@radel.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Certificate error
Message-ID:  <555105BA.4010702@radel.com>
In-Reply-To: <5550C454.60202@gmail.com>
References:  <554FC878.7070401@gmail.com> <55501D92.2020102@radel.com> <5550C454.60202@gmail.com>


[-- Attachment #1 --]
On 5/11/15 11:01 AM, Ernie Luzar wrote:
>
>>>
>>>
>>> fetchmail: Server certificate verification error: self signed 
>>> certificate
>>> fetchmail: Missing trust anchor certificate:
>>>
>>>
>> As a result, I'm kind of confused as to why fetchmail is complaining 
>> about a missing trust anchor for a self-signed certificate.  But that 
>> does lead to the question:  Did you install the CA certificate, 
>> CA.cert, where fetchmail will use it for verifying certificates? You 
>> should also realize that if you want to use your own CA, you're much 
>> better off not creating a new one willy-nilly, as you need to install 
>> the CA cert for every client which you want to actually verify the 
>> certificates signed by that CA.  See 
>> http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.html 
>> for more.
> Fetchmail is being used as a diagnostic tool. Fetchmail will follow 
> how a pop3 server is configured and in my case I am trying to test my 
> pop3 qpopper server for TLS. From the original post posted fetchmail 
> log you see that the pop3 server is offering STLS. This is what I am 
> expecting. Then the log shows the certs are missing a anchor point. 
Hence my question as to whether you installed the CA.cert for 
fetchmail.  Which you appear to have not answered.  Nor do you seem to 
have read the reference on the fetchmail mailing list that addresses how 
to either make fetchmail less picky about certificates or install the CA 
root certificate.
> The posted cert build script is not some thing I pulled out of the air 
> or something I make up as a guess. 
Never said you were.  I did point out that you were showing commands to 
sign a certificate with your own CA in an e-mail where you were 
complaining about being unable to get a self-signed certificate to 
work.  If you're mixing and matching bits and pieces of different 
experiments in the same question, this rapidly becomes even more of a 
futile exercise than it already is.
> I have a few different  combinations of openssl command sequences form 
> different articles I read on the internet and all of them get the same 
> error. I just point qpopper to use the key & cert files made 
> separately by openssl commands. 
Yeah, but the last little bit of logging doesn't have qpopper the least 
bit upset so far as I can tell; it's got fetchmail upset. What does 
fetchmail have installed?
> What sequence of openssl commands do you suggest I use?
>
Alas, alack, I find it hard to care; either type of certificate can be 
made to work with differing tradeoffs. Personally I simply use 
https://www.cacert.org when I need a free certificate in a place where I 
control the clients.  But if you go that route, YOU STILL NEED TO 
INSTALL THE CA'S ROOT CERTIFICATES FOR FETCHMAIL!  I would suggest you 
search for a tutorial on how TLS works that you're comfortable with and 
study it with care.

In any case, this:

> fetchmail: POP3< STLS
> fetchmail: POP3< .
> fetchmail: POP3> STLS
> fetchmail: POP3< +OK STLS
> fetchmail: Server certificate:
> fetchmail: Issuer Organization: Powerman
> fetchmail: Issuer CommonName: pop.powerman.com
> fetchmail: Subject CommonName: pop.powerman.com
> fetchmail: pop.a1poweruser.com key fingerprint: 
> 51:EC:3E:14:EA:E0:A9:97:1F:9F:D9:30:35:72:44:EA
>
> fetchmail: Server certificate verification error: self signed certificate
> fetchmail: Missing trust anchor certificate:

makes me think you may have a certificate installed just fine on qpopper 
and are simply ignoring that the default behavior of fetchmail is to be 
very picky about certificates.  In other words, you may be abusing your 
diagnostic tool something terrible, and results with your actual 
client(s) may be completely different, depending on how they feel about 
using TLS for verification as opposed to for *only* encryption.

Read http://www.fetchmail.info/fetchmail-FAQ.html#K5 for more.

--Jon Radel
jon@radel.com



[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��
�0��0����#��S��anzTgk!0
	*�H��
0o10	USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0�"0
	*�H��
�0�
���
�zSNpR�V�&��I���Q���ZI���`�zQB�y��"�aN��v#
�J�	�n�=ٺ�����.CRC|�2PȦOZ��ϓ%�{��0d��V��*$3��D�i��FK�3��@�����@���:�*S��= a<U��Nv%!)��|qvO��_���T���{5R���"=,0-1Y�R7�3i-C��֥�wgQ���'뼥8v���8�ߌ��I���s�:2���:=F:WtaP��@?��⟢!��0�0U#0����z4�&���&T���$�T0U�ak�ᢠ�O�g�£�����0U��0U�0�0U%0++0U 
00U 0DU=0;09�7�5�3http://crl.usertrust.com/AddTrustExternalCARoot.crl05+)0'0%+0�http://ocsp.usertrust.com0
	*�H��
�*n�U�:������U�ka+�	#��fjo����w^a�}�������[jr
A���X�&���M������X�"c�R��6�}X�ޫ;c���s����{���B#�ʶ�M>�K��-�ػBK�i�ۦ74�{����:ǟO�4n�e�������6����d)5�ֱ�q�C��>��2S�v�ʆ4�,��Jؙ
��␒�ZBj#!�e��ջ~ꌅ b��:,Yř3�8���zy�J&�|���0��0��sT�<}k��
`i
��0
	*�H��
0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
150330000000Z
180329235959Z0��10	UUS10U2215010	UVA10USpringfield10U	6917 Ridgeway Dr.10U
Jon T. Radel1200U)Issued through Jon T. Radel E-PKI Manager10UCorporate Secure Email10U	Jon Radel10	*�H��
	
jon@radel.com0�"0
	*�H��
�0�
���a�Щ������@@g3eGރ�͛�;	�d�#��>�q7&Hf�
:��3�v�L"��jV#�Xݷ�>U��-�H[$�S�Uڻ�{�Ϝ�,���z¶���I���chO��=rcy��r����n�v.V��h�7��k;���%u�e�Y��uӬ��󯅅���n�z����6!| !�A�ȡ�+�,�����u�+ 
�CA�պF-��u�n�#�vj���UJ��W�nk%�j]�
2�JP�kl�����0��0U#0��ak�ᢠ�O�g�£�����0U���E�|G�Dp��/�ʚB�0U��0U�00U%0++0FU ?0=0;+�10+0)+https://secure.comodo.net/CPS0]UV0T0R�P�N�Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crl0��+��0��0X+0�Lhttp://crt.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEmailCA.crt0$+0�http://ocsp.comodoca.com0U0�
jon@radel.com0
	*�H��
�KS��`?���H���_D`�8G߿VbĘ��<��t�B-Ӈї|��{'��Ũ�ݹg0Gp�$��������������%F(;*��M��O*g����t�$@�����t6���,�?0���|�#�ă�z�,�&!{j�2i��[%�b�7ߪ�P+�9G�㲍["y<?���8rZ'��[U���R6%����L̤
��w"�=:L����~�Ƨ^��jf���3�6� ��OP��1�.}(��e�1�10�-0��0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CAsT�<}k��
`i
��0	+��U0	*�H��
	1	*�H��
0	*�H��
	1
150511194042Z0#	*�H��
	1
P��OX;础�=b�mT��0l	*�H��
	1_0]0	`�He*0	`�He0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71��0��0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CAsT�<}k��
`i
��0��*�H��
	1�����0��10	UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CAsT�<}k��
`i
��0
	*�H��
�Ki�NX_Z,#��wHLps�Ҡ�[�a;h�Ϳ�&� �@N9���7�h^�X�1%��&	�[���Sܢy�p����� �
�qm�ŸN�Ê�!��y�wϋ�? ��jϡƮ�|���2"K��vÉ����NW�H��\����a�!��g���	�=y�ס5�GX�yo޺��.�+;��l�Ǻc*��nM����֖���ӥܟ��t@�`jt��稊V���pKZ��v
1?�H

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?555105BA.4010702>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation