On Wed, Jun 14, 2006 13:15:42 PM +0200, Dr. Stephen Henson
([EMAIL PROTECTED]) wrote:
> On Wed, Jun 14, 2006, M. Fioretti wrote:
> >
> > Therefore, I have generated a certificate following, on the server,
> > the procedure at
> > http://wanderingbarque.com/howtos/mailserver/mailserver.html, but it
[...]
> >
> > error 30 at 0 depth lookup:authority and subject key identifier mismatch
>
> Do you still get that error without -issuer_checks?
>
I get others:
#> openssl verify fmCert.pem
fmCert.pem: /C=IT/ST=Italy/L=Planet Earth/O=The M
Zone/OU=Management/CN=my.vps.fqdn.name/[EMAIL PROTECTED]
error 20 at 0 depth lookup:unable to get local issuer certificate
> I'd suggest you use CA.pl for certificate creation.
er... sorry, which CA.pl? The openssl rpm I have installed only gives
me a CA shell script, which I modified as per the wanderingbarque
howto at the URL above.
I mentioned I discovered this by fetchmail errors. For reference, here
they are:
fetchmail: 6.3.2 querying fm.vm.bytemark.co.uk (protocol POP3) at Wed 14 Jun
2006 02:34:35 PM CEST: poll started
fetchmail: Issuer Organization: The M Zone
fetchmail: Issuer CommonName: my.vps.fqdn.name
fetchmail: Server CommonName: my.vps.fqdn.name
fetchmail: my.vps.fqdn.name key fingerprint:
23:D4:B6:D0:A7:8D:0F:78:85:A8:64:E2:09:55:9D:70
fetchmail: my.vps.fqdn.name fingerprints match.
fetchmail: Server certificate verification error: unable to get local issuer
certificate
12777:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed:s3_clnt.c:894:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from [EMAIL PROTECTED]
calling fetchmail in this way:
poll my.vps.fqdn.name with proto POP3
user mailtestaccount there with pass "the password" is marco here
options keep ssl sslfingerprint
'23:D4:B6:D0:A7:8D:0F:78:85:A8:64:E2:09:55:9D:70'
sslcertck sslcertpath /usr/share/ssl/my_certs
where /usr/share/ssl/my_certs contains copies of the *.pem files
generated on the server, and the fingerprint is the one I get running
on the server (on my home pc it gives a different result):
openssl x509 -in myCert.pem -fingerprint -subject -issuer -serial -hash -noout
Thanks for your support. Please don't hesitate to ask me to run any
other test or provide more info.
TIA,
Marco
--
Marco Fioretti mfioretti, at the server mclink.it
Fedora Core 3 for low memory http://www.rule-project.org/
Go ahead, capitalize the T on technology, deify it if it will make you
feel less responsible -- but it puts you in with the neutered,
brother, in with the eunuchs keeping the harem of our stolen Earth for
the numb and joyless hardons of human sultans, human elite with no
right at all to be where they are -- T. Pynchon, _Gravity's Rainbow_
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
