M. Fioretti
2006-Jun-13 17:28 UTC
[CentOS] SSL fingerpring mismatch and issuer certificate problem
I have a remote server running centos 4.3 and a home desktop running suse 10.1. I have generated an SSL certificate on the server, copied it on the desktop and run on the desktop:>openssl x509 -in mynewcertCert.pem -fingerprint -subject -issuer -serial -hash -noout >c_rehash .getting this warning:> > Doing . > WARNING: mynewcertPrivateKey.pem does not contain a certificate or CRL: skipping > mynewcertCert.pem => 2764d17c.0Now I have noted two things: 1) the fingerprint generated from the openssl command above is different when I run it on centos or on suse 10.1. Why? 2) if I run fetchmail here with these options: I get: fetchmail: 6.3.2 querying my.remote.server (protocol POP3) at Tue 13 Jun 2006 07:22:34 PM CEST: poll started fetchmail: Issuer Organization: The M Zone fetchmail: Issuer CommonName: my.remote.server fetchmail: Server CommonName: my.remote.server fetchmail: my.remote.server key fingerprint: the one obtained running openssl on the server fetchmail: my.remote.server fingerprints match. fetchmail: Server certificate verification error: unable to get local issuer certificate 26227:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894: fetchmail: SSL connection failed. fetchmail: socket error while fetching from m-mail at fm.vm.bytemark.co.uk What is the "local issuer" problem? What am I missing? Is it a consequence of problem 1) ? What is happening, and what must I do to use this certificate? TIA, Marco -- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/ I don't even have an email address. I have reached an age where my main purpose is not to receive messages. U. Eco, quoted in the New Yorker
M. Fioretti
2006-Jun-13 21:59 UTC
[CentOS] SSL fingerpring mismatch and issuer certificate problem
On Tue, Jun 13, 2006 19:28:58 PM +0200, io (mfioretti at mclink.it) wrote:> I have a remote server running centos 4.3 and a home desktop running > suse 10.1. I have generated an SSL certificate on the server, copied > it on the desktop and run on the desktop:After a lot of googling, I have found that: openssl -verify -issuer_checks returns: error 30 at 0 depth lookup:authority and subject key identifier mismatch which, in turn, seems to be caused by screwed settings of subjectKeyIdentifier and authorityKeyIdentifier in openssl.conf. But I have not changed them from the default: ###################################################################### marco at polaris:~/geecheck/usr/share/ssl> grep -i keyidentifier openssl.cnf subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. authorityKeyIdentifier=keyid:always,issuer:always marco at polaris:~/geecheck/usr/share/ssl> ######################################################################## should I change them? If yes, to which values? The ones suggested at http://middleware.internet2.edu/hepki-tag/pki-lite/hepki-tag-pkilite-root-profile-current.html, for example: are in contrast with them. I will try those settings tomorrow, but I would really like to hear your opinion, before trying all possible combinations of values... TIA, marco -- Marco Fioretti mfioretti, at the server mclink.it Fedora Core 3 for low memory http://www.rule-project.org/ Excuse me for being greedy, but I want freedom and good government. Both a flourishing economy and a well-cared-for earth. A society that is diverse and communal.. that offers both privacy and accountability. One that can afford a big conscience, along with lots of neat toys. -- David Brin -- The Transparent Society