On Fri, 2018-04-13 at 14:47 -0700, Nathan O'Brennan wrote: > On 2018-04-12 11:27, Matt Birkholz wrote: > > Hi Nathan, > > > > Did you get any help with this, or figure it out yourself by now? > > No, to be honest I haven't seen a single response, but I have also not > seen any email come in since I sent it, so I kind of thought maybe my > certificate was messed up somehow else.
I think it is just hard to answer you without googling first, which invites distraction. > I ended up having my phone accept the certificate [...] I have the same problem: insufficient curiosity to uninstall the permanent exceptions (or did you actually turn validation OFF?). But maybe another lurker will be forewarned and win AND tell us all about it. > > > [...] > > > Firefox works fine on webmail. > > > Chrome works fine on webmail. > > > Postfix, Apache, and Dovecot all operate correctly without warnings. > > > > > > Bluemail, Thunderbird, and Kmail all fail to connect because the > > > certificate cannot be verified. > > > > You did not attach the intermediate certificates? I suggested missing intermediates because some clients may be willing to pursue "additional downloads" to validate a cert, while others may balk at incomplete chains. I had not included Gandi's with my Gandi cert and then went down the garden path of trying to add the intermediates as roots. It was not until I took SSLLabs quality test that I twigged to the importance of including the necessary intermediate certs. (Kudos on the SSL Labs suggestion, Stephen.) Now the Gandi cert (complete chain) works as expected, without exceptional handling, in Firefox 59 and (I hope) Everywhere. I pursued this minion of Chaos a bit further this morning, irritated that I cannot trust my own self-signed cert, even though I had installed it in /usr/local/share/ca-certificates/ and ran `sudo update- ca-certificates` AND saw that a key was added (to /etc/ssl/certs/ I guess). Yet I only got Firefox 59 to shut the bleep up after explicitly importing my (Easy-RSA CA) cert in Preferences > Privacy & Security > View Certificates... > Authorities > Import... AND I had to create the server cert with the INexact, all-too-Common-Name core.birchwood- abbey.net (NOT the absolute core.birchwood-abbey.net.) AND I had to use the same name in my CA's DB (i.e. on the ./build-key-server commandline). Kudos to anyone who can tell me how Firefox knew I had used the name core25 on the commandline (my twenty-sixth attempt [a tiny exaggeration]), why I do not see "core25" anywhere in `openssl x509 -text`, and especially how to get the Vile Offspring to document anything. --------------------------------------------------- PLUG-discuss mailing list - PLUGfirstname.lastname@example.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss