Quote:
Originally Posted by shep
I retrieve 3 certificates. The first, which I read to be the missing server certificate is Signed by Symantec. A quick "grep" of OpenBSD cert.pem does not match Symantec. The second 2 certificates are from Verisign 2006
|
I just checked, and unless I'm reading things wrongly, the 1st certificate, the one for Centurylink has Symantec as its Certificate Authority:
Code:
Certificate chain
0 s:/C=US/ST=Louisiana/L=Monroe/O=CenturyLink/OU=Interactive Services Group/CN=mail.centurylink.net
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
-----BEGIN CERTIFICATE-----
MIIGcjCCBVqgAwIBAgIQTsPFd6DHuVkx1SigBAVP3zANBgkqhkiG9w0BAQsFADB+
(...)
, the 2nd certificate for Symantec has Verisign as its Certificate Authority
Code:
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
(...)
and the 3rd one is from Verisign themselves:
Code:
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
(...)
Quote:
Originally Posted by shep
I copied the 1st certificate content, into an /etc/ssl/centurylink.pem, change the centurylink.pem group wheel => bin and run # openssl certhash /etc/ssl .
Alpine still complains
|
You'd have to add all three certificates, not just the centurylink one, if I'm not mistaken. But somehow the certificate chain seems to be broken. I just added all three certificates to my machine and it didn't work.
BTW, before introducing alpine into the mix you can check the certificates directly:
Code:
openssl s_client -connect mail.centurylink.net995 -CApath /etc/ssl/
Assuming /etc/ssl/ is where you placed all your certificates. I can connect to their pop3 server but get a
Code:
Verify return code: 20 (unable to get local issuer certificate)
Normally you'd see a
Code:
Verify return code: 0 (ok)
before the POP3 prompt.
I'm stumped, right now. The whole ssl certificate thing is relatively new to me. But, if it works on Debian for you, it has to be solvable. You might check your Debian-generated cert.pem for the Verisign certificates and compare those to the OpenBSD one. Other than that I don't know...