On 09/11/2022 18:19, Alexander Dalloz wrote:
Am 09.11.2022 um 18:30 schrieb hi@zakaria.website:
On 2022-11-09 16:59, Alexander Dalloz wrote:
Am 09.11.2022 um 15:58 schrieb Ruben Safir:
Hello
I am getting this error and I have no idea why. openssh is upto date
You have a self-signed certificate in place. The connecting client cannot valide whether to trust to answering server.
Alexander
Try to run the following against the client certificate full chain and cert file:-
ope nssl verify -CAfile fullchain.pem cert.pem
if it did throw an error then try verifying with an updated CA certificates bundle directly from OS using the following which works with me in RHEL7:-
y um reinstall ca-certificatesupdate-ca-trust
Or if already installed.
update-ca-trust.
Given you are using a self signed certificate, I guess, you will have to append manually the CA certificate, which you've used to sign the self signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. Also, you will have to reference the CA file in dovecot using the following:-
ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ssl_verify_client_cert = yes
Good luck.
Zakaria.
That's pointless as the certificate hasn't been issued by Let's Encrypt.
Alexander
This got nothing to with LE or own CA. Bottom line is, you need to add your own CA to the cert tore (ideally) - look in DuckDuckGo how that works for your distri - Linux is different from BSD - for example.
That would be my line in FreeBSD, using a single file for the CA : $FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile /etc/ssl/certs/my-ca.crt
The --sslcertfile part can be dumped if using the global store.
Bottom line - independent from CA.
-- Thanks and regards
Goetz R Schultz
---------------->8----------------
Quis custodiet ipsos custodes?
/"
\ / ASCII Ribbon Campaign
X against HTML e-mail
/
----------------8<----------------
---------------------------->8------------------------------
/"
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \
This message is transmitted on 100% recycled electrons.
---------------------------->8------------------------------ Unsigned message - no responsibillity that content is not altered