Hello
I am getting this error and I have no idea why. openssh is upto date
client
bash-5.1$ fetchmail --ssl -p POP3 -uruben mail2.boroparkmd.com Enter password for ruben@mail2.boroparkmd.com: fetchmail: Server certificate verification error: self signed certificate fetchmail: Missing trust anchor certificate: /C=US/ST=NY/L=Brooklyn/O=Dovecot/OU=mail servuces/CN=*.boroparkmd.com/emailAddress=ruben@mrbrklyn.com fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details. fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed fetchmail: mail2.boroparkmd.com: SSL connection failed. fetchmail: socket error while fetching from ruben@mail2.boroparkmd.com fetchmail: Query status=2 (SOCKET)
Server: Nov 9 09:36:13 mail2 dovecot[25838]: pop3-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42 (no auth attempts in 1 secs): user=<>, rip=96.57.23.83, lip=96.57.23.84, TLS handshaking: SSL_accept() failed: error:0A000412:SSL routines::sslv3 alert bad certificate: SSL alert number 42, session=<MBsPlArtPtxgORdT>
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
On 2022-11-09 16:59, Alexander Dalloz wrote:
Am 09.11.2022 um 15:58 schrieb Ruben Safir:
Hello
I am getting this error and I have no idea why. openssh is upto date
You have a self-signed certificate in place. The connecting client cannot valide whether to trust to answering server.
Alexander
Try to run the following against the client certificate full chain and cert file:-
ope nssl verify -CAfile fullchain.pem cert.pem
if it did throw an error then try verifying with an updated CA certificates bundle directly from OS using the following which works with me in RHEL7:-
y um reinstall ca-certificatesupdate-ca-trust
Or if already installed.
update-ca-trust.
Given you are using a self signed certificate, I guess, you will have to append manually the CA certificate, which you've used to sign the self signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. Also, you will have to reference the CA file in dovecot using the following:-
ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ssl_verify_client_cert = yes
Good luck.
Zakaria.
Am 09.11.2022 um 18:30 schrieb hi@zakaria.website:
On 2022-11-09 16:59, Alexander Dalloz wrote:
Am 09.11.2022 um 15:58 schrieb Ruben Safir:
Hello
I am getting this error and I have no idea why. openssh is upto date
You have a self-signed certificate in place. The connecting client cannot valide whether to trust to answering server.
Alexander
Try to run the following against the client certificate full chain and cert file:-
ope nssl verify -CAfile fullchain.pem cert.pem
if it did throw an error then try verifying with an updated CA certificates bundle directly from OS using the following which works with me in RHEL7:-
y um reinstall ca-certificatesupdate-ca-trust
Or if already installed.
update-ca-trust.
Given you are using a self signed certificate, I guess, you will have to append manually the CA certificate, which you've used to sign the self signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. Also, you will have to reference the CA file in dovecot using the following:-
ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ssl_verify_client_cert = yes
Good luck.
Zakaria.
That's pointless as the certificate hasn't been issued by Let's Encrypt.
Alexander
On 09/11/2022 18:19, Alexander Dalloz wrote:
Am 09.11.2022 um 18:30 schrieb hi@zakaria.website:
On 2022-11-09 16:59, Alexander Dalloz wrote:
Am 09.11.2022 um 15:58 schrieb Ruben Safir:
Hello
I am getting this error and I have no idea why. openssh is upto date
You have a self-signed certificate in place. The connecting client cannot valide whether to trust to answering server.
Alexander
Try to run the following against the client certificate full chain and cert file:-
ope nssl verify -CAfile fullchain.pem cert.pem
if it did throw an error then try verifying with an updated CA certificates bundle directly from OS using the following which works with me in RHEL7:-
y um reinstall ca-certificatesupdate-ca-trust
Or if already installed.
update-ca-trust.
Given you are using a self signed certificate, I guess, you will have to append manually the CA certificate, which you've used to sign the self signed client certificate in CA bundle PEM file i.e. tls-ca-bundle.pem. Also, you will have to reference the CA file in dovecot using the following:-
ssl_client_ca_file = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem ssl_verify_client_cert = yes
Good luck.
Zakaria.
That's pointless as the certificate hasn't been issued by Let's Encrypt.
Alexander
This got nothing to with LE or own CA. Bottom line is, you need to add your own CA to the cert tore (ideally) - look in DuckDuckGo how that works for your distri - Linux is different from BSD - for example.
That would be my line in FreeBSD, using a single file for the CA : $FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile /etc/ssl/certs/my-ca.crt
The --sslcertfile part can be dumped if using the global store.
Bottom line - independent from CA.
-- Thanks and regards
Goetz R Schultz
---------------->8----------------
Quis custodiet ipsos custodes?
/"
\ / ASCII Ribbon Campaign
X against HTML e-mail
/
----------------8<----------------
---------------------------->8------------------------------
/"
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \
This message is transmitted on 100% recycled electrons.
---------------------------->8------------------------------ Unsigned message - no responsibillity that content is not altered
This got nothing to with LE or own CA. Bottom line is, you need to add your own CA to the cert tore (ideally)
what is a cert tore?
- look in DuckDuckGo how that works for your distri - Linux is different from BSD - for example.
That would be my line in FreeBSD, using a single file for the CA : $FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile /etc/ssl/certs/my-ca.crt
The --sslcertfile part can be dumped if using the global store.
Bottom line - independent from CA.
-- Thanks and regards
Goetz R Schultz
---------------->8---------------- Quis custodiet ipsos custodes? /"
\ / ASCII Ribbon Campaign X against HTML e-mail /
----------------8<-------------------------------------------->8------------------------------
/"
\ / ASCII Ribbon Campaign X against HTML e-mail / \This message is transmitted on 100% recycled electrons.
---------------------------->8------------------------------ Unsigned message - no responsibillity that content is not altered
-- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
Store - typo at my den (have kb-issues)
Thanks and regards
Goetz R Schultz
---------------->8----------------
Quis custodiet ipsos custodes?
/"
\ / ASCII Ribbon Campaign
X against HTML e-mail
/
----------------8<----------------
On 09/11/2022 21:28, Ruben Safir wrote:
This got nothing to with LE or own CA. Bottom line is, you need to add your own CA to the cert tore (ideally)
what is a cert tore?
- look in DuckDuckGo how that works for your distri - Linux is different from BSD - for example.
That would be my line in FreeBSD, using a single file for the CA : $FOO_BIN -d 60 -F -f /usr/local/etc/fetchmailrc --sslcertfile /etc/ssl/certs/my-ca.crt
The --sslcertfile part can be dumped if using the global store.
Bottom line - independent from CA.
-- Thanks and regards
Goetz R Schultz
---------------->8---------------- Quis custodiet ipsos custodes? /"
\ / ASCII Ribbon Campaign X against HTML e-mail /
----------------8<-------------------------------------------->8------------------------------
/"
\ / ASCII Ribbon Campaign X against HTML e-mail / \This message is transmitted on 100% recycled electrons.
---------------------------->8------------------------------ Unsigned message - no responsibillity that content is not altered
---------------------------->8------------------------------
/"
\ / ASCII Ribbon Campaign
X against HTML e-mail
/ \
This message is transmitted on 100% recycled electrons.
---------------------------->8------------------------------ Unsigned message - no responsibillity that content is not altered
participants (4)
-
Alexander Dalloz
-
Goetz Schultz
-
hi@zakaria.website
-
Ruben Safir