On Wed, Jun 14, 2006, M. Fioretti wrote: > On Wed, Jun 14, 2006 13:15:42 PM +0200, Dr. Stephen Henson > ([EMAIL PROTECTED]) wrote: > > On Wed, Jun 14, 2006, M. Fioretti wrote: > > > > > > Therefore, I have generated a certificate following, on the server, > > > the procedure at > > > http://wanderingbarque.com/howtos/mailserver/mailserver.html, but it > [...] > > > > > > error 30 at 0 depth lookup:authority and subject key identifier mismatch > > > > Do you still get that error without -issuer_checks? > > > > I get others: > > #> openssl verify fmCert.pem > fmCert.pem: /C=IT/ST=Italy/L=Planet Earth/O=The M > Zone/OU=Management/CN=my.vps.fqdn.name/[EMAIL PROTECTED] > error 20 at 0 depth lookup:unable to get local issuer certificate >
Try it with -CAfile cacert.pem where cacert.pem is the path to the CA certificate. > > I'd suggest you use CA.pl for certificate creation. > > er... sorry, which CA.pl? The openssl rpm I have installed only gives > me a CA shell script, which I modified as per the wanderingbarque > howto at the URL above. > The CA.pl script should be installed as part of OpenSSL somewhere. I generally advise using this over howtos or cookbooks because some of them are very old or badly broken. > I mentioned I discovered this by fetchmail errors. For reference, here > they are: > > fetchmail: 6.3.2 querying fm.vm.bytemark.co.uk (protocol POP3) at Wed 14 Jun > 2006 02:34:35 PM CEST: poll started > fetchmail: Issuer Organization: The M Zone > fetchmail: Issuer CommonName: my.vps.fqdn.name > fetchmail: Server CommonName: my.vps.fqdn.name > fetchmail: my.vps.fqdn.name key fingerprint: > 23:D4:B6:D0:A7:8D:0F:78:85:A8:64:E2:09:55:9D:70 > fetchmail: my.vps.fqdn.name fingerprints match. > fetchmail: Server certificate verification error: unable to get local issuer > certificate > 12777:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed:s3_clnt.c:894: > fetchmail: SSL connection failed. > fetchmail: socket error while fetching from [EMAIL PROTECTED] > > calling fetchmail in this way: > > poll my.vps.fqdn.name with proto POP3 > user mailtestaccount there with pass "the password" is marco here > > options keep ssl sslfingerprint > '23:D4:B6:D0:A7:8D:0F:78:85:A8:64:E2:09:55:9D:70' > sslcertck sslcertpath /usr/share/ssl/my_certs > > where /usr/share/ssl/my_certs contains copies of the *.pem files > generated on the server, and the fingerprint is the one I get running > on the server (on my home pc it gives a different result): > > openssl x509 -in myCert.pem -fingerprint -subject -issuer -serial -hash > -noout > > Thanks for your support. Please don't hesitate to ask me to run any > other test or provide more info. > You just need the CA certificate in that directory then do: c_rehash /usr/share/ssl/my_certs Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
