List Info

Thread: Importing Certificate Authority
Importing Certificate Authority
country flaguser name
United States		 2007-06-15 11:34:43 
Hi group, 

  Is there anyway of importing a certificate authority for
just one
  user?

  My university/department uses a self-signed SSL
certificate for
  IMAPS, and since it was implemented, 'fetchmail' from my
machine
  always generates an error message 
    fetchmail: Server certificate verification error:
self-signed
    certificate in certifiate chain
  and so my inbox gets slightly cluttered with these error
messages
  from the cron job.

  So the certificate (I think) is here:
    http://www.mat
h.princeton.edu/math.crt

  How do I tell my computer to trust the certificate? (In
particular,
  with fetchmail?)

Thanks, 

W
-- 
M: I hope I don't squish your head. (Leaning back on chair)
W: It's okay. Wait a minute. It's NOT okay....  (Lying under
chair)
Sortir en Pantoufles: up 189 days, 14:44
-- 
gentoo-usergentoo.org mailing list
Re: Importing Certificate Authority
country flaguser name
France		 2007-06-15 12:45:38 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Fri, June 15, 2007 19:12, Xavier Parizet wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Fri, June 15, 2007 18:34, Willie Wong wrote:
>> Hi group,
>>
>>   Is there anyway of importing a certificate
authority for just one
>>   user?
>>
>>   My university/department uses a self-signed SSL
certificate for
>>   IMAPS, and since it was implemented, 'fetchmail'
from my machine
>>   always generates an error message
>>     fetchmail: Server certificate verification
error: self-signed
>>     certificate in certifiate chain
>>   and so my inbox gets slightly cluttered with
these error messages
>>   from the cron job.
>>
>>   So the certificate (I think) is here:
>>     http://www.mat
h.princeton.edu/math.crt
>>
>>   How do I tell my computer to trust the
certificate? (In particular,
>>   with fetchmail?)
> Retrieve the certificate from the previous address and
move it to a
> directory D, and add the following lines to your
.fetchmailrc :
>
============================================================
=====
> sslcertpath D # where D is the directory where is the
certificate
>
============================================================
=====
> You can also add sslcertck if you want fetchmail to
check whether the
> certificate presented by the server is trusted or
not...
I forget to tell you that you have to run c_rehash in the
directory where
you have stored the certificate to make symbolic links whith
his hash
value...
>>
>> Thanks,
>>
>> W
>> --
>> M: I hope I don't squish your head. (Leaning back
on chair)
>> W: It's okay. Wait a minute. It's NOT okay.... 
(Lying under chair)
>> Sortir en Pantoufles: up 189 days, 14:44
>> --
>> gentoo-usergentoo.org mailing list
>>
>>
>
>
> - --
> http://www.linuxant.fr/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.4 (GNU/Linux)
>
>
iD8DBQFGcsiAmSNaOeTZvg0RArAeAKCh2yCoX2k/l3x00rWy4p8LiA0e7ACg
v7AM
> UyMPcpGI/d2M16OkJftmGEg=
> =EyGI
> -----END PGP SIGNATURE-----
>
> --
> gentoo-usergentoo.org mailing list
>
>


- --
http://www.linuxant.fr/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (GNU/Linux)

iD8DBQFGctBCmSNaOeTZvg0RAq0pAKC3+qSUAX96lEoWgxya6yFbm4dRUQCb
BADg
fSlXLFhLiRIs8vPhwGxiBhg=
=SnF2
-----END PGP SIGNATURE-----

-- 
gentoo-usergentoo.org mailing list
Re: Re: Importing Certificate Authority
country flaguser name
United States		 2007-06-15 14:54:11 
On Fri, Jun 15, 2007 at 07:45:38PM +0200, Penguin Lover
Xavier Parizet squawked:
> >>   So the certificate (I think) is here:
> >>     http://www.mat
h.princeton.edu/math.crt
> >>
> >>   How do I tell my computer to trust the
certificate? (In particular,
> >>   with fetchmail?)
> > Retrieve the certificate from the previous address
and move it to a
> > directory D, and add the following lines to your
.fetchmailrc :
> >
============================================================
=====
> > sslcertpath D # where D is the directory where is
the certificate
> >
============================================================
=====
> > You can also add sslcertck if you want fetchmail
to check whether the
> > certificate presented by the server is trusted or
not...

Oh god, this is embarassing. Something that you wrote in
there
clicked, and I went back to my archives, and found that I
actually
wrote a miniHowto for my local LUG on precisely this about
16 months
ago. 

So I have actually implemented what you wrote, just that I
forgot
about it. This also means that, unforunately, doing just
this is not
enough to prevent the "self-signed certificate"
warning. 

But thanks to that, I got on the right direction: turns out
that my
department switched from using a self-signed certificate to
using one
from IPSCA, so I've been barking up the wrong tree when
trying to
solve the problem. The link that I gave was, apparent to me
now, old,
and so importing that cert had no impact. I went and
imported the
IPSCA root cert and now all's good. 

W
-- 
"His eyes seemed to be popping out of his head. He
wasn't 
certain if this was because they were trying to see more 
clearly, or if they simply wanted to leave at this
point." 

- Arthur trying to see who had diverted him from going to 
a party. 
Sortir en Pantoufles: up 189 days, 17:58
-- 
gentoo-usergentoo.org mailing list
country flaguser name
United States		 2007-06-15 17:24:22 
On Fri, Jun 15, 2007 at 03:54:11PM -0400, Penguin Lover
Willie Wong squawked:
> But thanks to that, I got on the right direction: turns
out that my
> department switched from using a self-signed
certificate to using one
> from IPSCA, so I've been barking up the wrong tree when
trying to
> solve the problem. The link that I gave was, apparent
to me now, old,
> and so importing that cert had no impact. I went and
imported the
> IPSCA root cert and now all's good. 

What's up with openssl and ca-certificates? 

Trying to connect to my school's imap server, I get

  openssl s_client -connect imap.math.princeton.edu:993 
<snip>
  Verify return code: 19 (self signed certificate in
certificate chain)

But if I issue 

  openssl s_client -connect imap.math.princeton.edu:993
-CApath /etc/ssl/certs/
<snip>
  Verify return code: 0 (ok)

It seems that the openssl s_client doesn't know about the
default
certs in /etc/ssl/certs (The one in question is IPSCa's
root
certificate, which is included in the ca-certificates
package). 

I think this is also the root of my problem with fetchmail:
I had to
include explicitly in .fetchmailrc the line 'sslcertpath
/etc/ssl/certs' to have the default set of CAs recognized.

Is there a configuration switch somewhere that would let
openssl be
aware of the root CAs that comes with the ca-certificates
package?
Else the latter seems rather useless. 

Best, 

W
-- 
English lessons for programmers #28: 
    "Fewer" is of type int; whereas
"less" is of type double. 
Sortir en Pantoufles: up 189 days, 20:38
-- 
gentoo-usergentoo.org mailing list
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )