Hi,
Thanks very much, this helps a lot. I didn't experience any problems following
the process. But I still get:
fetchmail: No mail for moderate...@absolinux.net at imap.1and1.fr
fetchmail: Server certificate verification error: self signed certificate in
certificate chain
fetchmail: This means that the root signing certificate (issued for
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA
Root)
is not in the trusted CA certificate locations, or that c_rehash needs to be
run on the certificate directory. For details, please see the
documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use
--sslcertck!) fetchmail:
No mail for te...@aaui.eu at mail.accelibreinfo.eu fetchmail: Server
certificate verification error: unable to get local issuer certificate
fetchmail: This means that the root signing certificate (issued for
/CN=actux.eu.org) is not in the trusted CA certificate locations, or that
c_rehash needs
to be run on the certificate directory. For details, please see the
documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first
certificate
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use
--sslcertck!)
Is some certificate missing? I don't understand why fetchmail still complains.
Thanks for your answer.
Regards,
JPM
On Sunday 27 Jan 2013 à 19:27:26 (-0600), DJ Lucas wrote:
> On 01/27/2013 06:18 AM, Jean-Philippe MENGUAL wrote:
> > Hi,
> >
> > Thanks very much for the information. I probably didn't understand
> > everything
> > in the process, anyway. Indeed, in make-ca.sh, I replaced
> > BUNDLE="BLFS-ca-bundle-${VERSION}.crt" with AddTrustExternalCARoot.crt.
> > Then I ran script. I also updated mozilla's certs, through the proces
> > described
> > in the book and also with mozilla-root.crt?.
> >
> > So .pem are all updated and generated. Is it enough? Should the
> > ca-bundle.crt
> > be updated itself? Because with such process, fetchmail displays the same
> > thing.
> >
> > Did I misunderstand something in this process of certificates?
> >
> > Thanks very much and sorry to disturb but I've to say that this security
> > concepts
> > are not natural for me.
> >
> > Best regards,
> >
>
>
> The steps should be:
>
> certhost='http://mxr.mozilla.org' &&
> certdir='/mozilla/source/security/nss/lib/ckfw/builtins' &&
> url="$certhost$certdir/certdata.txt?raw=1" &&
> wget --output-document certdata.txt $url &&
> unset certhost certdir url &&
> make-ca.sh &&
> remove-expired-certs.sh
>
> Those update to the latest Mozilla certs, and the following adds your
> new CA root to the trusted certs:
>
> keyhash=$(openssl x509 -noout -in AddTrustExternalCARoot.crt -hash) &&
> cp AddTrustExternalCARoot.crt \
> /etc/ssl/certs/${keyhash}.pem &&
> c_rehash &&
> unset keyhash
>
> To update the bundle, with what is currnetly in /etc/ssl/certs, run the
> following command at any time:
>
> cat /etc/ssl/certs/*.pem > /etc/ssl/ca-bundle.crt
>
> -- DJ
>
> --
> http://linuxfromscratch.org/mailman/listinfo/blfs-support
> FAQ: http://www.linuxfromscratch.org/blfs/faq.html
> Unsubscribe: See the above information page
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
