Self signed cert authorization

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Self signed cert authorization

Phillip Susi
I've been trying to convince git send-email to connect to my personal
smtp server without success.  It keeps complaining that the cert is
self-signed.  I thought all I had to do was add the cert to
/etc/ssl/certs and that should fix it, but it doesn't.  Even without
doing this, and using -verify_return_error, openssl s_client does not
refuse to connect to the server.  Why is this and what else do I have to
do to convince the system that this self signed cert is OK?

Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert authorization

OpenSSL - User mailing list
On 24/04/2019 21:58, Phillip Susi wrote:
> I've been trying to convince git send-email to connect to my personal
> smtp server without success.  It keeps complaining that the cert is
> self-signed.  I thought all I had to do was add the cert to
> /etc/ssl/certs and that should fix it, but it doesn't.  Even without
> doing this, and using -verify_return_error, openssl s_client does not
> refuse to connect to the server.  Why is this and what else do I have to
> do to convince the system that this self signed cert is OK?
>
Three suggestions, depending on what git send-email and your system
does:

1. If you are on a somewhat recent Debian (or similar) system, move
   your cert from /etc/ssl/certs/ to /usr/local/share/ca-certificates/
   and rerun
   # dpkg-reconfigure ca-certificates
   # dpkg-reconfigure ca-certificates
   (Yes, run it twice, it has a bug if run only once).
   (This does the next two suggestions in the way the system expects,
   even though the list of certificates shown by the configuration
   dialogs doesn't include your own certificates).

2. cd to /etc/ssl/certs and run the command
   /etc/sssl/certs# c_rehash
   (This updates the numeric symlinks to certificates so openssl can
   more easily find them).

3. If your system generates/maintains a big file with all the
   trusted certs concatenated, concatenate your extra cert to the
   end of that file.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert authorization

Hubert Kario
In reply to this post by Phillip Susi
On Wednesday, 24 April 2019 21:58:30 CEST Phillip Susi wrote:
> I've been trying to convince git send-email to connect to my personal
> smtp server without success.  It keeps complaining that the cert is
> self-signed.  I thought all I had to do was add the cert to
> /etc/ssl/certs and that should fix it, but it doesn't.  Even without
> doing this, and using -verify_return_error, openssl s_client does not
> refuse to connect to the server.  Why is this and what else do I have to
> do to convince the system that this self signed cert is OK?

what distribution, which version of openssl?

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert authorization

Phillip Susi
In reply to this post by OpenSSL - User mailing list

Jakob Bohm via openssl-users writes:

> 2. cd to /etc/ssl/certs and run the command
>   /etc/sssl/certs# c_rehash
>   (This updates the numeric symlinks to certificates so openssl can
>   more easily find them).

Thanks, I ended up finding c_rehash and that did the trick.