From owner-freebsd-questions@FreeBSD.ORG Mon May 11 20:46:24 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B6DF57A for ; Mon, 11 May 2015 20:46:24 +0000 (UTC) Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 334361985 for ; Mon, 11 May 2015 20:46:24 +0000 (UTC) Received: by igbpi8 with SMTP id pi8so80033299igb.0 for ; Mon, 11 May 2015 13:46:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=x+glg6m980d6SrZMnhkA3oIe+L/EYFwEVSvmHyUHC9Y=; b=bTiIYZj44RqioTG7TNRLK8BkpZvsYfOpn4IwxKATQOo/K0VJE9rgzG9cE+dzM13UVE yexzo6anu0a2aB5s6HEgUX4Hi6Zv8Cg2JdkXNSxCkptW1pAh+BmHJM3PeqEI25Kdv+bG ZqGksxMZ6gSWEh3Q6eINt8b0T2mTutSF+q2L3VoOX9ewiZOByJX3TfXEw1p3g3sde4sI RjtwHJo0JgZWybWmxyOBReMXJm+kI7+0rsE+hspses3srPW/JEIBw41MtHuN8mqYyrCu Xu14Jt9XYiFykPbzlTy/R5sxm1hPFg20S/Q0dO6aD8k71cxJCTzDDStvxNRxZATbPTEp kdOQ== X-Received: by 10.50.8.68 with SMTP id p4mr6495352iga.4.1431377183556; Mon, 11 May 2015 13:46:23 -0700 (PDT) Received: from [10.0.10.5] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by mx.google.com with ESMTPSA id o19sm621228igs.18.2015.05.11.13.46.22 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 11 May 2015 13:46:23 -0700 (PDT) Message-ID: <5551153A.4000800@gmail.com> Date: Mon, 11 May 2015 16:46:50 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Jon Radel CC: freebsd-questions@freebsd.org Subject: Re: Certificate error References: <554FC878.7070401@gmail.com> <55501D92.2020102@radel.com> <5550C454.60202@gmail.com> <555105BA.4010702@radel.com> In-Reply-To: <555105BA.4010702@radel.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 May 2015 20:46:24 -0000 Jon Radel wrote: > On 5/11/15 11:01 AM, Ernie Luzar wrote: >> >>>> >>>> >>>> fetchmail: Server certificate verification error: self signed >>>> certificate >>>> fetchmail: Missing trust anchor certificate: >>>> >>>> >>> As a result, I'm kind of confused as to why fetchmail is complaining >>> about a missing trust anchor for a self-signed certificate. But >>> that does lead to the question: Did you install the CA certificate, >>> CA.cert, where fetchmail will use it for verifying certificates? You >>> should also realize that if you want to use your own CA, you're much >>> better off not creating a new one willy-nilly, as you need to >>> install the CA cert for every client which you want to actually >>> verify the certificates signed by that CA. See >>> http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.html >>> for more. >> Fetchmail is being used as a diagnostic tool. Fetchmail will follow >> how a pop3 server is configured and in my case I am trying to test my >> pop3 qpopper server for TLS. From the original post posted fetchmail >> log you see that the pop3 server is offering STLS. This is what I am >> expecting. Then the log shows the certs are missing a anchor point. > Hence my question as to whether you installed the CA.cert for > fetchmail. Which you appear to have not answered. Nor do you seem to > have read the reference on the fetchmail mailing list that addresses > how to either make fetchmail less picky about certificates or install > the CA root certificate. >> The posted cert build script is not some thing I pulled out of the >> air or something I make up as a guess. > Never said you were. I did point out that you were showing commands > to sign a certificate with your own CA in an e-mail where you were > complaining about being unable to get a self-signed certificate to > work. If you're mixing and matching bits and pieces of different > experiments in the same question, this rapidly becomes even more of a > futile exercise than it already is. >> I have a few different combinations of openssl command sequences >> form different articles I read on the internet and all of them get >> the same error. I just point qpopper to use the key & cert files made >> separately by openssl commands. > Yeah, but the last little bit of logging doesn't have qpopper the > least bit upset so far as I can tell; it's got fetchmail upset. What > does fetchmail have installed? >> What sequence of openssl commands do you suggest I use? >> > Alas, alack, I find it hard to care; either type of certificate can be > made to work with differing tradeoffs. Personally I simply use > https://www.cacert.org when I need a free certificate in a place where > I control the clients. But if you go that route, YOU STILL NEED TO > INSTALL THE CA'S ROOT CERTIFICATES FOR FETCHMAIL! I would suggest you > search for a tutorial on how TLS works that you're comfortable with > and study it with care. > > In any case, this: > >> fetchmail: POP3< STLS >> fetchmail: POP3< . >> fetchmail: POP3> STLS >> fetchmail: POP3< +OK STLS >> fetchmail: Server certificate: >> fetchmail: Issuer Organization: Powerman >> fetchmail: Issuer CommonName: pop.powerman.com >> fetchmail: Subject CommonName: pop.powerman.com >> fetchmail: pop.a1poweruser.com key fingerprint: >> 51:EC:3E:14:EA:E0:A9:97:1F:9F:D9:30:35:72:44:EA >> >> fetchmail: Server certificate verification error: self signed >> certificate >> fetchmail: Missing trust anchor certificate: > > makes me think you may have a certificate installed just fine on > qpopper and are simply ignoring that the default behavior of fetchmail > is to be very picky about certificates. In other words, you may be > abusing your diagnostic tool something terrible, and results with your > actual client(s) may be completely different, depending on how they > feel about using TLS for verification as opposed to for *only* > encryption. > > Read http://www.fetchmail.info/fetchmail-FAQ.html#K5 for more. > > --Jon Radel > jon@radel.com > > When I run fetchmail againest my ISP mail pop server it runs fine and populates my postfix server and shows basically the same log sequence. I just change the poll and user statements in .fetchmailrc. Fetchmail will follow what ever the pop server it's connecting to tells it to do which is TLS. Fetchmail is not the problem here. Many of the how-to on the internet recommend using fetchmail in this manner to diagnose pop servers connection problems. Lets move on to certification problem. Is there some openssl commands that can be used to verify the key/cert file combination is correct and workable? I continued to look for a better method of creating certs. Today I found this one and have given it a try . http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php followed by the first 2 openssl commands on this page http://www.freebsdmadeeasy.com/tutorials/web-server/apache-ssl-certs.php I now get different results Script started on Mon May 11 16:14:20 2015 /root >fetchmail -vv -c fetchmail: --check mode enabled, not fetching mail fetchmail: 6.3.26 querying pop.powerman.com (protocol POP3) at Mon May 11 16:14:34 2015: poll started Trying to connect to 10.0.10.2/110...connected. fetchmail: POP3< +OK ready <5281.1431375274@localhost> fetchmail: POP3> CAPA fetchmail: POP3< +OK Capability list follows fetchmail: POP3< TOP fetchmail: POP3< USER fetchmail: POP3< LOGIN-DELAY 0 fetchmail: POP3< EXPIRE NEVER fetchmail: POP3< UIDL fetchmail: POP3< RESP-CODES fetchmail: POP3< AUTH-RESP-CODE fetchmail: POP3< X-MANGLE fetchmail: POP3< X-MACRO fetchmail: POP3< X-LOCALTIME Mon, 11 May 2015 16:14:34 -0400 fetchmail: POP3< STLS fetchmail: POP3< . fetchmail: POP3> STLS fetchmail: POP3< +OK STLS fetchmail: Server certificate: fetchmail: Issuer Organization: powerman fetchmail: Issuer CommonName: pop.powerman.com fetchmail: Subject CommonName: pop.powerman.com fetchmail: pop.powerman.com key fingerprint: F8:FF:A3:6F:7B:BA:F0:CB:2D:B0:6A:04:59:30:77:85 fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Broken certification chain at: /C=US/ST=PA/L=Chester/O=Powerman/CN=pop.powerman.com fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate .