[gentoo-user] Importing Certificate Authority

[gentoo-user] Importing Certificate Authority

[Willie Wong]

Hi group, 

  Is there anyway of importing a certificate authority for just one
  user?

  My university/department uses a self-signed SSL certificate for
  IMAPS, and since it was implemented, 'fetchmail' from my machine
  always generates an error message 
    fetchmail: Server certificate verification error: self-signed
    certificate in certifiate chain
  and so my inbox gets slightly cluttered with these error messages
  from the cron job.

  So the certificate (I think) is here:
    http://www.math.princeton.edu/math.crt

  How do I tell my computer to trust the certificate? (In particular,
  with fetchmail?)

Thanks, 

W
-- 
M: I hope I don't squish your head. (Leaning back on chair)
W: It's okay. Wait a minute. It's NOT okay....  (Lying under chair)
Sortir en Pantoufles: up 189 days, 14:44
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Importing Certificate Authority

[Xavier Parizet]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Fri, June 15, 2007 18:34, Willie Wong wrote:
> Hi group,
>
>   Is there anyway of importing a certificate authority for just one
>   user?
>
>   My university/department uses a self-signed SSL certificate for
>   IMAPS, and since it was implemented, 'fetchmail' from my machine
>   always generates an error message
>     fetchmail: Server certificate verification error: self-signed
>     certificate in certifiate chain
>   and so my inbox gets slightly cluttered with these error messages
>   from the cron job.
>
>   So the certificate (I think) is here:
>     http://www.math.princeton.edu/math.crt
>
>   How do I tell my computer to trust the certificate? (In particular,
>   with fetchmail?)
Retrieve the certificate from the previous address and move it to a
directory D, and add the following lines to your .fetchmailrc :
=================================================================
sslcertpath D # where D is the directory where is the certificate
=================================================================
You can also add sslcertck if you want fetchmail to check whether the
certificate presented by the server is trusted or not...
>
> Thanks,
>
> W
> --
> M: I hope I don't squish your head. (Leaning back on chair)
> W: It's okay. Wait a minute. It's NOT okay....  (Lying under chair)
> Sortir en Pantoufles: up 189 days, 14:44
> --
> gentoo-user@gentoo.org mailing list
>
>


- --
http://www.linuxant.fr/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (GNU/Linux)

iD8DBQFGcsiAmSNaOeTZvg0RArAeAKCh2yCoX2k/l3x00rWy4p8LiA0e7ACgv7AM
UyMPcpGI/d2M16OkJftmGEg=
=EyGI
-----END PGP SIGNATURE-----

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Importing Certificate Authority

[Xavier Parizet]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Fri, June 15, 2007 19:12, Xavier Parizet wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On Fri, June 15, 2007 18:34, Willie Wong wrote:
>> Hi group,
>>
>>   Is there anyway of importing a certificate authority for just one
>>   user?
>>
>>   My university/department uses a self-signed SSL certificate for
>>   IMAPS, and since it was implemented, 'fetchmail' from my machine
>>   always generates an error message
>>     fetchmail: Server certificate verification error: self-signed
>>     certificate in certifiate chain
>>   and so my inbox gets slightly cluttered with these error messages
>>   from the cron job.
>>
>>   So the certificate (I think) is here:
>>     http://www.math.princeton.edu/math.crt
>>
>>   How do I tell my computer to trust the certificate? (In particular,
>>   with fetchmail?)
> Retrieve the certificate from the previous address and move it to a
> directory D, and add the following lines to your .fetchmailrc :
> =================================================================
> sslcertpath D # where D is the directory where is the certificate
> =================================================================
> You can also add sslcertck if you want fetchmail to check whether the
> certificate presented by the server is trusted or not...
I forget to tell you that you have to run c_rehash in the directory where
you have stored the certificate to make symbolic links whith his hash
value...
>>
>> Thanks,
>>
>> W
>> --
>> M: I hope I don't squish your head. (Leaning back on chair)
>> W: It's okay. Wait a minute. It's NOT okay....  (Lying under chair)
>> Sortir en Pantoufles: up 189 days, 14:44
>> --
>> gentoo-user@gentoo.org mailing list
>>
>>
>
>
> - --
> http://www.linuxant.fr/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.4 (GNU/Linux)
>
> iD8DBQFGcsiAmSNaOeTZvg0RArAeAKCh2yCoX2k/l3x00rWy4p8LiA0e7ACgv7AM
> UyMPcpGI/d2M16OkJftmGEg=
> =EyGI
> -----END PGP SIGNATURE-----
>
> --
> gentoo-user@gentoo.org mailing list
>
>


- --
http://www.linuxant.fr/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (GNU/Linux)

iD8DBQFGctBCmSNaOeTZvg0RAq0pAKC3+qSUAX96lEoWgxya6yFbm4dRUQCbBADg
fSlXLFhLiRIs8vPhwGxiBhg=
=SnF2
-----END PGP SIGNATURE-----

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Importing Certificate Authority

[Willie Wong]

On Fri, Jun 15, 2007 at 07:45:38PM +0200, Penguin Lover Xavier Parizet squawked:
> >>   So the certificate (I think) is here:
> >>     http://www.math.princeton.edu/math.crt
> >>
> >>   How do I tell my computer to trust the certificate? (In particular,
> >>   with fetchmail?)
> > Retrieve the certificate from the previous address and move it to a
> > directory D, and add the following lines to your .fetchmailrc :
> > =================================================================
> > sslcertpath D # where D is the directory where is the certificate
> > =================================================================
> > You can also add sslcertck if you want fetchmail to check whether the
> > certificate presented by the server is trusted or not...

Oh god, this is embarassing. Something that you wrote in there
clicked, and I went back to my archives, and found that I actually
wrote a miniHowto for my local LUG on precisely this about 16 months
ago. 

So I have actually implemented what you wrote, just that I forgot
about it. This also means that, unforunately, doing just this is not
enough to prevent the "self-signed certificate" warning. 

But thanks to that, I got on the right direction: turns out that my
department switched from using a self-signed certificate to using one
from IPSCA, so I've been barking up the wrong tree when trying to
solve the problem. The link that I gave was, apparent to me now, old,
and so importing that cert had no impact. I went and imported the
IPSCA root cert and now all's good. 

W
-- 
"His eyes seemed to be popping out of his head. He wasn't 
certain if this was because they were trying to see more 
clearly, or if they simply wanted to leave at this point." 

- Arthur trying to see who had diverted him from going to 
a party. 
Sortir en Pantoufles: up 189 days, 17:58
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Default CApath for openssl [was: Importing Certificate Authority]

[Willie Wong]

On Fri, Jun 15, 2007 at 03:54:11PM -0400, Penguin Lover Willie Wong squawked:
> But thanks to that, I got on the right direction: turns out that my
> department switched from using a self-signed certificate to using one
> from IPSCA, so I've been barking up the wrong tree when trying to
> solve the problem. The link that I gave was, apparent to me now, old,
> and so importing that cert had no impact. I went and imported the
> IPSCA root cert and now all's good. 

What's up with openssl and ca-certificates? 

Trying to connect to my school's imap server, I get

  openssl s_client -connect imap.math.princeton.edu:993 
<snip>
  Verify return code: 19 (self signed certificate in certificate chain)

But if I issue 

  openssl s_client -connect imap.math.princeton.edu:993 -CApath /etc/ssl/certs/
<snip>
  Verify return code: 0 (ok)

It seems that the openssl s_client doesn't know about the default
certs in /etc/ssl/certs (The one in question is IPSCa's root
certificate, which is included in the ca-certificates package). 

I think this is also the root of my problem with fetchmail: I had to
include explicitly in .fetchmailrc the line 'sslcertpath
/etc/ssl/certs' to have the default set of CAs recognized.

Is there a configuration switch somewhere that would let openssl be
aware of the root CAs that comes with the ca-certificates package?
Else the latter seems rather useless. 

Best, 

W
-- 
English lessons for programmers #28: 
    "Fewer" is of type int; whereas "less" is of type double. 
Sortir en Pantoufles: up 189 days, 20:38
-- 
gentoo-user@gentoo.org mailing list