Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 May 2015 11:01:40 -0400
From:      Ernie Luzar <luzar722@gmail.com>
To:        Jon Radel <jon@radel.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Certificate error
Message-ID:  <5550C454.60202@gmail.com>
In-Reply-To: <55501D92.2020102@radel.com>
References:  <554FC878.7070401@gmail.com> <55501D92.2020102@radel.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Jon Radel wrote:
> On 5/10/15 5:07 PM, Ernie Luzar wrote:
>> Hello list;
>> Been trying to setup qpopper to use TLS.
>> I am stuck at getting a self signed certificate to work.
>> Running fetchmail on the host to get a good log of what is really 
>> happening
>> as shown below. After that list is the script I use to build the 
>> certificates.
>> Maybe some one can seen what I am doing wrong in the build cert script
>> based on the errors shown in the fetchmail list..
>> Thanks
> A self-signed certificate and a certificate signed by your own CA 
> aren't even remotely the same thing; I'm confused as to what you're 
> trying to actually do.  The list of openssl commands you give 
> shouldn't result in a self-signed certificate.  See section 4 of 
> http://www.openssl.org/docs/HOWTO/certificates.txt for the incantation 
> for a self-signed certificate.
What I am trying to do is get TLS working on my pop3 qpopper server 
without paying for a official ca cert. I have tried both the self-signed 
certificate method which I posted as part of the original post and a 
certificate signed by my own CA using CA.pl script both with no joy. I 
edited the openssl.cnf file to default to the correct values for the 
items it prompts you for so I always get the same values.
>
>>
>>
>> fetchmail: Server certificate verification error: self signed 
>> certificate
>> fetchmail: Missing trust anchor certificate:
>>
>>
> As a result, I'm kind of confused as to why fetchmail is complaining 
> about a missing trust anchor for a self-signed certificate.  But that 
> does lead to the question:  Did you install the CA certificate, 
> CA.cert, where fetchmail will use it for verifying certificates? You 
> should also realize that if you want to use your own CA, you're much 
> better off not creating a new one willy-nilly, as you need to install 
> the CA cert for every client which you want to actually verify the 
> certificates signed by that CA.  See 
> http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.html 
> for more.
Fetchmail is being used as a diagnostic tool. Fetchmail will follow how 
a pop3 server is configured and in my case I am trying to test my pop3 
qpopper server for TLS. From the original post posted fetchmail log you 
see that the pop3 server is offering STLS. This is what I am expecting. 
Then the log shows the certs are missing a anchor point.  The posted 
cert build script is not some thing I pulled out of the air or something 
I make up as a guess.  I have a few different  combinations of openssl 
command sequences form different articles I read on the internet and all 
of them get the same error. I just point qpopper to use the key & cert 
files made separately by openssl commands. What sequence of openssl 
commands do you suggest I use?




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5550C454.60202>