On 01/28/2013 01:47 PM, Jean-Philippe MENGUAL wrote:
> Hi,
>
> Thanks very much, this helps a lot. I didn't experience any problems following
> the process. But I still get:
>
> fetchmail: No mail for moderate...@absolinux.net at imap.1and1.fr
> fetchmail: Server certificate verification error: self signed certificate in
> certificate chain
> fetchmail: This means that the root signing certificate (issued for
> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA
> Root)
> is not in the trusted CA certificate locations, or that c_rehash needs to be
> run on the certificate directory. For details, please see the
> documentation of --sslcertpath and --sslcertfile in the manual page.
> fetchmail: Warning: the connection is insecure, continuing anyways. (Better
> use --sslcertck!) fetchmail:
> No mail for te...@aaui.eu at mail.accelibreinfo.eu fetchmail: Server
> certificate verification error: unable to get local issuer certificate
> fetchmail: This means that the root signing certificate (issued for
> /CN=actux.eu.org) is not in the trusted CA certificate locations, or that
> c_rehash needs
> to be run on the certificate directory. For details, please see the
> documentation of --sslcertpath and --sslcertfile in the manual page.
> fetchmail: Server certificate verification error: certificate not trusted
> fetchmail: Server certificate verification error: unable to verify the first
> certificate
> fetchmail: Warning: the connection is insecure, continuing anyways. (Better
> use --sslcertck!)
>
> Is some certificate missing? I don't understand why fetchmail still complains.
>
> Thanks for your answer.
>
> Regards,
>
> JPM
>
>
> On Sunday 27 Jan 2013 à 19:27:26 (-0600), DJ Lucas wrote:
>> On 01/27/2013 06:18 AM, Jean-Philippe MENGUAL wrote:
>>> Hi,
>>>
>>> Thanks very much for the information. I probably didn't understand
>>> everything
>>> in the process, anyway. Indeed, in make-ca.sh, I replaced
>>> BUNDLE="BLFS-ca-bundle-${VERSION}.crt" with AddTrustExternalCARoot.crt.
>>> Then I ran script. I also updated mozilla's certs, through the proces
>>> described
>>> in the book and also with mozilla-root.crt?.
>>>
>>> So .pem are all updated and generated. Is it enough? Should the
>>> ca-bundle.crt
>>> be updated itself? Because with such process, fetchmail displays the same
>>> thing.
>>>
>>> Did I misunderstand something in this process of certificates?
>>>
>>> Thanks very much and sorry to disturb but I've to say that this security
>>> concepts
>>> are not natural for me.
>>>
>>> Best regards,
>>>
>>
>>
>> The steps should be:
>>
>> certhost='http://mxr.mozilla.org' &&
>> certdir='/mozilla/source/security/nss/lib/ckfw/builtins' &&
>> url="$certhost$certdir/certdata.txt?raw=1" &&
>> wget --output-document certdata.txt $url &&
>> unset certhost certdir url &&
>> make-ca.sh &&
>> remove-expired-certs.sh
>>
>> Those update to the latest Mozilla certs, and the following adds your
>> new CA root to the trusted certs:
>>
>> keyhash=$(openssl x509 -noout -in AddTrustExternalCARoot.crt -hash) &&
>> cp AddTrustExternalCARoot.crt \
>> /etc/ssl/certs/${keyhash}.pem &&
>> c_rehash &&
>> unset keyhash
>>
>> To update the bundle, with what is currnetly in /etc/ssl/certs, run the
>> following command at any time:
>>
>> cat /etc/ssl/certs/*.pem > /etc/ssl/ca-bundle.crt
>>
>> -- DJ
>>
>> --
>> http://linuxfromscratch.org/mailman/listinfo/blfs-support
>> FAQ: http://www.linuxfromscratch.org/blfs/faq.html
>> Unsubscribe: See the above information page
Not a fetchmail user, so this is second hand, but I think you'll need to
set sslcertpath in fetchmailrc.
I get the same behavior with openssl s_client unless I explicitly set
CApath, which makes me wonder if our OpenSSL installation is slightly
broken. I'll look into that quick.
-- DJ
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
