Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 May 2015 15:40:42 -0400
From:      Jon Radel <jon@radel.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Certificate error
Message-ID:  <555105BA.4010702@radel.com>
In-Reply-To: <5550C454.60202@gmail.com>
References:  <554FC878.7070401@gmail.com> <55501D92.2020102@radel.com> <5550C454.60202@gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is a cryptographically signed message in MIME format.

--------------ms070004020104070304070409
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable

On 5/11/15 11:01 AM, Ernie Luzar wrote:
>
>>>
>>>
>>> fetchmail: Server certificate verification error: self signed=20
>>> certificate
>>> fetchmail: Missing trust anchor certificate:
>>>
>>>
>> As a result, I'm kind of confused as to why fetchmail is complaining=20
>> about a missing trust anchor for a self-signed certificate.  But that =

>> does lead to the question:  Did you install the CA certificate,=20
>> CA.cert, where fetchmail will use it for verifying certificates? You=20
>> should also realize that if you want to use your own CA, you're much=20
>> better off not creating a new one willy-nilly, as you need to install =

>> the CA cert for every client which you want to actually verify the=20
>> certificates signed by that CA.  See=20
>> http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.ht=
ml=20
>> for more.
> Fetchmail is being used as a diagnostic tool. Fetchmail will follow=20
> how a pop3 server is configured and in my case I am trying to test my=20
> pop3 qpopper server for TLS. From the original post posted fetchmail=20
> log you see that the pop3 server is offering STLS. This is what I am=20
> expecting. Then the log shows the certs are missing a anchor point.=20
Hence my question as to whether you installed the CA.cert for=20
fetchmail.  Which you appear to have not answered.  Nor do you seem to=20
have read the reference on the fetchmail mailing list that addresses how =

to either make fetchmail less picky about certificates or install the CA =

root certificate.
> The posted cert build script is not some thing I pulled out of the air =

> or something I make up as a guess.=20
Never said you were.  I did point out that you were showing commands to=20
sign a certificate with your own CA in an e-mail where you were=20
complaining about being unable to get a self-signed certificate to=20
work.  If you're mixing and matching bits and pieces of different=20
experiments in the same question, this rapidly becomes even more of a=20
futile exercise than it already is.
> I have a few different  combinations of openssl command sequences form =

> different articles I read on the internet and all of them get the same =

> error. I just point qpopper to use the key & cert files made=20
> separately by openssl commands.=20
Yeah, but the last little bit of logging doesn't have qpopper the least=20
bit upset so far as I can tell; it's got fetchmail upset. What does=20
fetchmail have installed?
> What sequence of openssl commands do you suggest I use?
>
Alas, alack, I find it hard to care; either type of certificate can be=20
made to work with differing tradeoffs. Personally I simply use=20
https://www.cacert.org when I need a free certificate in a place where I =

control the clients.  But if you go that route, YOU STILL NEED TO=20
INSTALL THE CA'S ROOT CERTIFICATES FOR FETCHMAIL!  I would suggest you=20
search for a tutorial on how TLS works that you're comfortable with and=20
study it with care.

In any case, this:

> fetchmail: POP3< STLS
> fetchmail: POP3< .
> fetchmail: POP3> STLS
> fetchmail: POP3< +OK STLS
> fetchmail: Server certificate:
> fetchmail: Issuer Organization: Powerman
> fetchmail: Issuer CommonName: pop.powerman.com
> fetchmail: Subject CommonName: pop.powerman.com
> fetchmail: pop.a1poweruser.com key fingerprint:=20
> 51:EC:3E:14:EA:E0:A9:97:1F:9F:D9:30:35:72:44:EA
>
> fetchmail: Server certificate verification error: self signed certifica=
te
> fetchmail: Missing trust anchor certificate:

makes me think you may have a certificate installed just fine on qpopper =

and are simply ignoring that the default behavior of fetchmail is to be=20
very picky about certificates.  In other words, you may be abusing your=20
diagnostic tool something terrible, and results with your actual=20
client(s) may be completely different, depending on how they feel about=20
using TLS for verification as opposed to for *only* encryption.

Read http://www.fetchmail.info/fetchmail-FAQ.html#K5 for more.

--Jon Radel
jon@radel.com



--------------ms070004020104070304070409
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKrzCC
BK8wggOXoAMCAQICEQDgI8sVEoNTia1hbnpUZ2shMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNV
BAYTAlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJu
YWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3QwHhcN
MTQxMjIyMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP
IENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNh
dGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAibEN2npTGU5wUh28VqYGJre4SeCW51Gr8fBaE0kVo7SMG2C8elFCp3mMpCLfF2FOkdV2
IwoU00oCf7YdCYBupQQ92bq7Fv6hh6kuQ1JDFnyvMlDIpk9a6QjYz5MlnHuI6DBk5qT4VoD9
KiQUMxeZrETlaYujRgZLwjPU6UCfBrCxrJNAubUIkzqcKlOjENs9IGE8VQOO2U52JQIhKfqj
fHF2T+7hX4Hp+1SA28N7NVK3hN4iPSwwLTF/Wb1SN7AzaS1D6/rWpfGXd2dRjNnuJ+u8pQc4
doykqTj/34z1A6xJvsr3c5k6DzKrnJU6Ez0ORjpXdGFQvsZAP8vk4p+iIQIDAQABo4IBFzCC
ARMwHwYDVR0jBBgwFoAUrb2YejS0Jvf6xCZU7wO94CTLVBowHQYDVR0OBBYEFJJha4LhoqCq
T+xn8cKj97SAAMHsMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwRAYDVR0fBD0w
OzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL0FkZFRydXN0RXh0ZXJuYWxDQVJv
b3QuY3JsMDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
dXN0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAGypurFXBOquIxdjtzVXzqmthK8AJECOZD8Vm
am+x9bS1d14PAmEA330F/hKzpICAAPz7HVtqcgIKQbwFusFY1SbC6tVNhPv+gpjPWBvjImOc
Uvi7BTarfVil3qs7Y+Xa1XPv7OD7e+Kj//BCI5zKto1NPuRLGAOyqC3U2LtCS5BphRDbpjc0
6HvgARClnMo6x59PiDRuimXQGoq7qdzKyjbR9PzCZCk1r9axp3ER0gNDsY8+muyeMlP0dpLK
hjQHuSzK5hxK2JkNwYbikJL7WkJqIyEQ6WXH9dW7fuqMhSACYurROgcsWcWZM/I4ieW26RZ6
H3kU9koQGib6fIr7mzCCBfgwggTgoAMCAQICEHNU5Tx9a7TNDWBpDfzOARswDQYJKoZIhvcN
AQELBQAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhD
T01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBD
QTAeFw0xNTAzMzAwMDAwMDBaFw0xODAzMjkyMzU5NTlaMIH6MQswCQYDVQQGEwJVUzEOMAwG
A1UEERMFMjIxNTAxCzAJBgNVBAgTAlZBMRQwEgYDVQQHEwtTcHJpbmdmaWVsZDEaMBgGA1UE
CRMRNjkxNyBSaWRnZXdheSBEci4xFTATBgNVBAoTDEpvbiBULiBSYWRlbDEyMDAGA1UECxMp
SXNzdWVkIHRocm91Z2ggSm9uIFQuIFJhZGVsIEUtUEtJIE1hbmFnZXIxHzAdBgNVBAsTFkNv
cnBvcmF0ZSBTZWN1cmUgRW1haWwxEjAQBgNVBAMTCUpvbiBSYWRlbDEcMBoGCSqGSIb3DQEJ
ARYNam9uQHJhZGVsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN7VG2H2
FtCpo4Of74Ll1UBAf2czZUfeg9rNm587CYgbZJcj+/c+56ZxBDcmSGalDTqBizPJduRMIuyq
8R9qViPzWN238rmVPhpV2PQt8khbJNxT3lXauwK4exK+f8+chywS1eDnesK2pLgQ60n27etj
aE/xgKLLPXJjeaficomz3cwcbgCRdi5WnN9ogAMRNxWsD6trO9cR+cMldcNln1m65XXTrIii
86+FhZKVpW7yetIcmNcVkjYhfCAh5UGgyKHfK7osuPXgj9h1nSsgDwr5Q0H41bpGLe7AdcFu
viOHdmqSuohVSt/VV7JuF2slx2pd0w0eMoNKUKhrFhFsvLUCAwEAAaOCAdUwggHRMB8GA1Ud
IwQYMBaAFJJha4LhoqCqT+xn8cKj97SAAMHsMB0GA1UdDgQWBBTP1gHXRYR8E0eyRHCj/S+H
yppC7DAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
BAYIKwYBBQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwUwKzApBggrBgEFBQcCARYd
aHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDov
L2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50QXV0aGVudGljYXRpb25hbmRT
ZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwWAYIKwYBBQUHMAKGTGh0dHA6
Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhlbnRpY2F0aW9uYW5k
U2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTAYBgNVHREEETAPgQ1qb25AcmFkZWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBLU976AGA/
5JD9rkjl7vNfRGDQOEffvwseVmLEmBLot8I8vZ50oxRCLdOH0Zd8uN17J5a4xajP3blnMEdw
/CQF4f6Iz8ASG7QOGLSSin+nrqD20Q8lRn8oOyrF100OsPRPKmff/fekdOMkQOrJ3MCDAHQ2
fxuWkxupLBP6PzC49qR8uyPVxIPNetMsuyYhAHtq4DJphd1bJbxirDffqstQK+M5R+eo47KN
WyJ5PD/Q8ug4clobJ7P5W1Xh7KLqnVI2JffYD5+/EEzMpAsKiQTjdxci1z06TOr/9/Z+68an
Xuvyambg6OMzkTaTCyD1sE9QExHj+zGiwpUufSj2vGWjMYIEMTCCBC0CAQEwgbAwgZsxCzAJ
BgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZv
cmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1
NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQc1TlPH1rtM0N
YGkN/M4BGzAJBgUrDgMCGgUAoIICVTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqG
SIb3DQEJBTEPFw0xNTA1MTExOTQwNDJaMCMGCSqGSIb3DQEJBDEWBBQKUNnQTxRYO+ehgKQ9
Yv5tVB/4kzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqG
SIb3DQMCAgEoMIHBBgkrBgEEAYI3EAQxgbMwgbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQI
ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9E
TyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGlj
YXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQc1TlPH1rtM0NYGkN/M4BGzCBwwYLKoZIhvcN
AQkQAgsxgbOggbAwgZsxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0
ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYD
VQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBF
bWFpbCBDQQIQc1TlPH1rtM0NYGkN/M4BGzANBgkqhkiG9w0BAQEFAASCAQBLaaxOWAIeEl9a
LCPd/ncaSExwc7kO0qCtA1sZhBlhO2jAzb/rJpwPIJhATjm97fg3tQNoXtdYiTElkt0mCaRb
k7McllPconnrcP2+kJTIILwKHMdxbfOexbgAThbKw4qgFxoh/K8VefB3Bc+LoD8guYpqB8+h
xq4RBd984xCVCBTlMiJL0s52w4mpgMPnTlfdSB4BqOtcrpMM3cVhryHlnv1nvbniCZM9GnkZ
wNehNbZHWBjmeW/euhiRzy6CKzvd7GyRx7pjKh0UhwGFbk3Bh8Dk1pbeEgf82NOl3J/UEOkF
dEC9YGp0ncTnqIpW9sKZCxaN+nBLWpbqdgoxP4dIAAAAAAAA
--------------ms070004020104070304070409--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?555105BA.4010702>