From owner-freebsd-questions@FreeBSD.ORG Sun May 10 21:06:39 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EFBF6ECE for ; Sun, 10 May 2015 21:06:38 +0000 (UTC) Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B97541C35 for ; Sun, 10 May 2015 21:06:38 +0000 (UTC) Received: by igbpi8 with SMTP id pi8so55587760igb.1 for ; Sun, 10 May 2015 14:06:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=fjLJSPCLftHMvGf1wJTjwqY8+1tJ9C7rh/2+wiyXhT0=; b=sN/Jl0D525zKzkAd2MC7vzIxZxG9AIP4/LGIYzjQ6yxQ2QOKxXPUep3LixXyJiqRao eyFhJtYwyMV/3u79OJby5M17NApWMXuosB6yj68HMr4qEJb5So9E5WHfbPNYNzeRzam2 /Cj++qRywIbwuy4pPLqgjJmazrxgkei9qAG4gTzJ2GXrAXO8xmR7cQgCe7wEKK+n0nzJ 4kssBJnt/3EkCYGUy2/OwXrohpJ90+iW35O25W4LyNn3RMwZQAnZdC/NMCr1UvSQVmaD IVWoeEIKvSdZsfW4E5yJiB7MaPqDehiuQ/ojgO5eEXtm3qDu/kqi17OJ63c9UqOURRI7 c80Q== X-Received: by 10.43.39.208 with SMTP id tn16mr7732143icb.27.1431291998177; Sun, 10 May 2015 14:06:38 -0700 (PDT) Received: from [10.0.10.5] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by mx.google.com with ESMTPSA id h128sm8408006ioh.38.2015.05.10.14.06.37 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 10 May 2015 14:06:37 -0700 (PDT) Message-ID: <554FC878.7070401@gmail.com> Date: Sun, 10 May 2015 17:07:04 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: FreeBSD Questions Subject: Certificate error Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 May 2015 21:06:39 -0000 Hello list; Been trying to setup qpopper to use TLS. I am stuck at getting a self signed certificate to work. Running fetchmail on the host to get a good log of what is really happening as shown below. After that list is the script I use to build the certificates. Maybe some one can seen what I am doing wrong in the build cert script based on the errors shown in the fetchmail list.. Thanks Script started on Sun May 10 16:30:25 2015 /root >fetchmail -vv fetchmail: WARNING: Running as root is discouraged. Old UID list from pop.powerman.com: Scratch list of UIDs: fetchmail: 6.3.26 querying pop.powerman.com (protocol POP3) at Sun May 10 16:30:37 2015: poll started Trying to connect to 10.0.10.2/110...connected. fetchmail: POP3< +OK ready <1301.1431289837@localhost> fetchmail: POP3> CAPA fetchmail: POP3< +OK Capability list follows fetchmail: POP3< TOP fetchmail: POP3< USER fetchmail: POP3< LOGIN-DELAY 0 fetchmail: POP3< EXPIRE NEVER fetchmail: POP3< UIDL fetchmail: POP3< RESP-CODES fetchmail: POP3< AUTH-RESP-CODE fetchmail: POP3< X-MANGLE fetchmail: POP3< X-MACRO fetchmail: POP3< X-LOCALTIME Sun, 10 May 2015 16:30:37 -0400 fetchmail: POP3< STLS fetchmail: POP3< . fetchmail: POP3> STLS fetchmail: POP3< +OK STLS fetchmail: Server certificate: fetchmail: Issuer Organization: Powerman fetchmail: Issuer CommonName: pop.powerman.com fetchmail: Subject CommonName: pop.powerman.com fetchmail: pop.a1poweruser.com key fingerprint: 51:EC:3E:14:EA:E0:A9:97:1F:9F:D9:30:35:72:44:EA fetchmail: Server certificate verification error: self signed certificate fetchmail: Missing trust anchor certificate: cat qpopper.build.cert #! /bin/sh # Lets get to the correct location cd /usr/local/etc/qpopper # Lets delete existing stuff to re-create clean rm -v CA.key CA.crt pop3.key.pem pop3.cert.csr pop3.cert.pem echo "Creating a private CA key" openssl genrsa -des3 -out CA.key 2048 echo "Creating a private CA certificate" openssl req -new -x509 -days 3650 -key CA.key -out CA.crt echo "Creating a private ssl/tls pop3 key" openssl genrsa -out pop3.key.pem 2048 echo "Creating a private certificate signing request" openssl req -new -key pop3.key.pem -out pop3.cert.csr echo "Sign certificate using own CAsigning request" openssl x509 -req -in pop3.cert.csr -out pop3.cert.pem -sha1 -CA CA.crt -CAkey CA.key -CAcreateserial -days 3650