SSL error

Goetz Schultz dovecot.expire1225 at suelze.de
Wed Nov 9 18:36:36 UTC 2022 

On 09/11/2022 18:19, Alexander Dalloz wrote:
> Am 09.11.2022 um 18:30 schrieb hi at zakaria.website:
>> On 2022-11-09 16:59, Alexander Dalloz wrote:
>>> Am 09.11.2022 um 15:58 schrieb Ruben Safir:
>>>> Hello
>>>>
>>>> I am getting this error and I have no idea why.  openssh is upto date
>>>
>>> You have a self-signed certificate in place. The connecting client 
>>> cannot valide whether to trust to answering server.
>>>
>>> Alexander
>>
>> Try to run the following against the client certificate full chain and 
>> cert file:-
>>
>>   ope nssl verify -CAfile fullchain.pem cert.pem
>>
>> if it did throw an error then try verifying with an updated CA 
>> certificates bundle directly from OS using the following which  works 
>> with me in RHEL7:-
>>
>> y um reinstall ca-certificatesupdate-ca-trust
>>
>> Or if already installed.
>>
>> update-ca-trust.
>>
>> Given you are using a self signed certificate, I guess, you will have 
>> to append manually the CA certificate, which you've used to sign the 
>> self signed client certificate in CA bundle PEM file i.e. 
>> tls-ca-bundle.pem. Also, you will have to reference the CA file in 
>> dovecot using the following:-
>>
>> ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
>> ssl_verify_client_cert = yes
>>
>> Good luck.
>>
>> Zakaria.
> 
> That's pointless as the certificate hasn't been issued by Let's Encrypt.
> 
> Alexander
> 

This got nothing to with LE or own CA. Bottom line is, you need to add 
your own CA to the cert tore (ideally) - look in DuckDuckGo how that 
works for your distri - Linux is different from BSD - for example.

That would be my line in FreeBSD, using a single file for the CA :
$FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile 
/etc/ssl/certs/my-ca.crt

The --sslcertfile part can be dumped if using the global store.

Bottom line - independent from CA.


--
Thanks and regards

   Goetz R Schultz

---------------->8----------------
Quis custodiet ipsos custodes?
   /"\
   \ /  ASCII Ribbon Campaign
    X   against HTML e-mail
   / \
----------------8<----------------

---------------------------->8------------------------------

  /"\
  \ /  ASCII Ribbon Campaign
   X   against HTML e-mail
  / \ 

   This message is transmitted on 100% recycled electrons.

---------------------------->8------------------------------
Unsigned message - no responsibillity that content is not altered

More information about the dovecot mailing list