tls certificate for alpine email client

[shep]

On 6.0amd64 release, my new email server uses a tls certificate but I'm having difficulty setting it up properly.

Apparently mail/alpine is not using the system wide certificates in /etc/ssl/cert.pem. I get the following message when I start alpine

Code:

unable to get local issuer certificate (details)

The details

Code:

Host given by user:

  mail.centurylink.net

Reason for failure:

  unable to get local issuer certificate

Certificate being verified:

  /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

There is an option to bypass the certificate with

Code:

 mail.centurylink.net/novalidate-cert

which I view as short cut.

Ideally, I would either like to have alpine use the system wide certifcates or use locally use the certificates I fetched for my mutt configuration ~/.config/mutt/certificates/certs

Code:

-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQUT+5dDhwtzRAQY0wkwaZ/zANBgkqhkiG9w0BAQsFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTMxMDMxMDAwMDAwWhcNMjMxMDMwMjM1OTU5WjB+MQsw
CQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNV
BAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVjIENs
YXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAstgFyhx0LbUXVjnFSlIJluhL2AzxaJ+aQihiw6UwU35VEYJb
A3oNL+F5BMm0lncZgQGUWfm893qZJ4Itt4PdWid/sgN6nFMl6UgfRk/InSn4vnlW
9vf92Tpo2otLgjNBEsPIPMzWlnqEIRoiBAMnF4scaGGTDw5RgDMdtLXO637QYqzu
s3sBdO9pNevK1T2p7peYyo2qRA4lmUoVlqTObQJUHypqJuIGOmNIrLRM0XWTUP8T
L9ba4cYY9Z/JJV3zADreJk20KQnNDz0jbxZKgRb78oMQw7jW2FUyPfG9D72MUpVK
Fpd6UiFjdS8W+cRmvvW1Cdj/JwDNRHxvSz+w9wIDAQABo4IBYzCCAV8wEgYDVR0T
AQH/BAgwBgEB/wIBADAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vczEuc3ltY2Iu
Y29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB/wQEAwIBBjAvBggrBgEFBQcBAQQjMCEw
HwYIKwYBBQUHMAGGE2h0dHA6Ly9zMi5zeW1jYi5jb20wawYDVR0gBGQwYjBgBgpg
hkgBhvhFAQc2MFIwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20v
Y3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vcnBhMCkG
A1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1hbnRlY1BLSS0xLTUzNDAdBgNVHQ4E
FgQUX2DPYZBV34RDFIpgKrL1evRDGO8wHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnz
Qzn6Aq8zMTMwDQYJKoZIhvcNAQELBQADggEBAF6UVkndji1l9cE2UbYD49qecxny
H1mrWH5sJgUs+oHXXCMXIiw3k/eG7IXmsKP9H+IyqEVv4dn7ua/ScKAyQmW/hP4W
Ko8/xabWo5N9Q+l0IZE1KPRj6S7t9/Vcf0uatSDpCr3gRRAMFJSaXaXjS5HoJJtG
QGX0InLNmfiIEfXzf+YzguaoxX7+0AjiJVgIcWjmzaLmFN5OUiQt/eV5E1PnXi8t
TRttQBVSK/eHiXgSgW7ZTaoteNTCLD0IX4eRnh8OsN4wUmSGiaqdZpwOdgyA8nTY
Kvi4Os7X1g8RvmurFPW9QaAiY4nxug9vKWNmLT+sjHLF+8fk1A/yO0+MKcc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGcjCCBVqgAwIBAgIQTsPFd6DHuVkx1SigBAVP3zANBgkqhkiG9w0BAQsFADB+
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxLzAtBgNVBAMTJlN5bWFudGVj
IENsYXNzIDMgU2VjdXJlIFNlcnZlciBDQSAtIEc0MB4XDTE2MDMwMjAwMDAwMFoX
DTE3MDMxMjIzNTk1OVowgYwxCzAJBgNVBAYTAlVTMRIwEAYDVQQIDAlMb3Vpc2lh
bmExDzANBgNVBAcMBk1vbnJvZTEUMBIGA1UECgwLQ2VudHVyeUxpbmsxIzAhBgNV
BAsMGkludGVyYWN0aXZlIFNlcnZpY2VzIEdyb3VwMR0wGwYDVQQDDBRtYWlsLmNl
bnR1cnlsaW5rLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALDn
1a+5+Z5hwI2CTV8oVJ7mygbvz8aIO+OfJdw7bCEir9oNn4qOoshcnNJFJWgNqxTG
TIHhKf2PJwfeaodHzhGsfPpm2lCfYKGqBnjEDKegIQmleBxSImk3hRWaWKxr6A7s
m7G26kkVqOSyzTRviULQ22WdzwG4Kz30zq3+uMByDo4mlY9usXqlxm7E0T3OWuVq
mTqwG3b1dT8Sv/0n+33t13s/Rs44QIdJkKh8SE+SHwVEglnqFtrQI1v8j1+RZpsr
Hx9v5CbaZf5tdQFkz5Idjybh+FB1UqwKv8yJ62ZSJqXEcjizUnRL7uIc8TwtX/S+
crfG8SCVG8327V+aaCkCAwEAAaOCAtswggLXMIGIBgNVHREEgYAwfoIUbWFpbC5j
ZW50dXJ5bGluay5uZXSCE3BvcC5jZW50dXJ5bGluay5uZXSCFHNtdHAuY2VudHVy
eWxpbmsubmV0ghJteC5jZW50dXJ5bGluay5uZXSCE3NtdHAuZW1iYXJxbWFpbC5j
b22CEnBvcC5lbWJhcnFtYWlsLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwYQYDVR0gBFowWDBWBgZn
gQwBAgIwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYI
KwYBBQUHAgIwGRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAU
X2DPYZBV34RDFIpgKrL1evRDGO8wKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3Nz
LnN5bWNiLmNvbS9zcy5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNo
dHRwOi8vc3Muc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc3Muc3ltY2Iu
Y29tL3NzLmNydDCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AN3rHSt6DU+mIIuB
rYFocH4ujp0B1VyIjT0RxM227L7MAAABUzfW+icAAAQDAEcwRQIhAPa/j9+tsIna
i22blK1c/sjCKkAl4IrT4CJ/+oKbggJhAiBUrDjaHEVaG0tHpn91A42px1+3fEO9
FXGsUd5YjoaCTAB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAAB
UzfW+jsAAAQDAEcwRQIgdWd55+T3MqWVSKii36HheZexjrRh1OD+wOXK+nrAlbIC
IQCUJT0A6CyQrLeEgH+UeLVb/GOsmTngkel7pO8Hbv2OjjANBgkqhkiG9w0BAQsF
AAOCAQEAhGL229tDTroUjABwkBsAMZTfFbkZaRL1dQJ6PQUmvI/ab0Jefm+W0kpo
tSe8oaQ/46o650pNzvXaziPh0XIOSBAKN8nlZwxMAfSoBYCHTGzS9ZGRcwCuY8s7
Ejo2I7hQFjyvqubhl45rEnBkg7y1t6w3sEFAQB93lrvujsuH5SkPYk3DqY616JOP
6dHMEPvP2L02ML/jL0Wc1Nv84ZYCXQnyLFzIrhgE4/WA5gGoFE6SjQus5wZbl2G/
j6CUnPiNacOamdsphVt5Ch6bvz0pEd5EMjyUHG5A9Q7wXfy4UebhWljNDu5XoSU1
EPUJynzepCe/P48Eyl/xYPD1ZmTrCQ==
-----END CERTIFICATE-----

I grep'd one of the lines in the above certificate against /etc/ssl/cert.pem and did not get a match. I'm guessing it is missing.

Alpine has the following certificate options

Code:

# Public certificates are kept in files in this directory. The files should
# contain certificates in PEM format. The name of each file should look
# like <emailaddress>.crt. The default directory is .alpine-smime/public.
smime-public-cert-directory=

# If this option is set then public certificates are kept in a single container
# "file" similar to a remote configuration file instead of in the
# smime-publiccert-directory. The value can be a remote or local folder
# specification like for a non-standard pinerc value. The default
# is that it is not set.
smime-public-cert-container=/etc/ssl/cert.pem

# Private keys are kept in files in this directory. The files are in PEM format.
# The name of a file should look like <emailaddress>.key.
# The default directory is .alpine-smime/private.
smime-private-key-directory=

# If this option is set then private keys are kept in a single container
# "file" similar to a remote configuration file instead of in the
# private-key-directory. The value can be a remote or local folder
# specification like for a non-standard pinerc value. The default
# is that it is not set.
smime-private-key-container=

# Certificate Authority certificates (in addition to the normal CACerts for the
# system) are kept in files in this directory. The files are in PEM format.
# Filenames should end with .crt. The default directory is .alpine-smime/ca.
smime-cacert-directory=

# If this option is set then CAcerts are kept in a single container
# "file" similar to a remote configuration file instead of in the
# ca-cert-directory. The value can be a remote or local folder
# specification like for a non-standard pinerc value. The default
# is that it is not set.
smime-cacert-container=

I wonder why the centurylink certificates were not included and am leaning towards using the certificates in a ~/ file. Any suggestions on setting a local public file for alpine?

Edit:
I found this widely referenced pine-ssl link and tried setting up a /etc/ssl/certs/ directory and making a ~/.alpine-smime/ca/centurylink_tls.crt but still get the local certificate failure.