On Wed, 23 Nov 2016, Steve Litt wrote:
[snip]
Alpine still gives me a bad cert warning, saying I should either fix it or disable checking. I haven't yet found a way to get Alpine to discriminate between a valid self-signed cert and a bad one.
Like a number of applications, alpine checks the system certificates directory for a file containing the server certificate to be validated that's named according to its x509 hash. If it finds it, it trusts it.
I don't know where Linux distros keep their certs, but on FreeBSD it's in /etc/ssl/certs/. If you've no other way to find out, a brute force search of the alpine binary should locate it, e.g.:
$ strings $(whence alpine) | grep '^/.*certs$' /etc/ssl/certs
You can fetch the certificate from a remote IMAP server and install it in your system certs directory like this:
# cd /path/to/certs &&
openssl s_client -connect remote.server:143 -starttls imap -showcerts &0 | H=$(openssl x509 -hash -out imap.pem) && ln -sf imap.pem ${H}.0 # ls -l total 5 lrwxr-xr-x 1 root wheel 11 Nov 23 15:34 3a82ab1a.0 -> imap.pem -rw-r--r-- 1 root wheel 1371 Nov 23 15:34 imap.pem
-- Greg Rivers