On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers <gcr+dovecot at tharned.org> wrote:> On Wed, 23 Nov 2016, Steve Litt wrote: > > [snip] > > > > Alpine still gives me a bad cert warning, saying I should either > > fix it or disable checking. I haven't yet found a way to get Alpine > > to discriminate between a valid self-signed cert and a bad one. > > > Like a number of applications, alpine checks the system certificates > directory for a file containing the server certificate to be > validated that's named according to its x509 hash. If it finds it, it > trusts it. > > I don't know where Linux distros keep their certs, but on FreeBSD > it's in /etc/ssl/certs/. If you've no other way to find out, a brute > force search of the alpine binary should locate it, e.g.: > > $ strings $(whence alpine) | grep '^/.*certs$' > /etc/ssl/certsThe directory or the certs isn't the problem. Alpine sees the self-signed cert I just made, but complains because it's self-signed, and gives me the choice between saying "yes" every time, and just not checking for certs at all. SteveT Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz
On mercredi, 23 novembre 2016 17.31:50 h CET Steve Litt wrote:> On Wed, 23 Nov 2016 16:04:22 -0600 (CST) > > Greg Rivers <gcr+dovecot at tharned.org> wrote: > > On Wed, 23 Nov 2016, Steve Litt wrote: > > > [snip] > > > > > > Alpine still gives me a bad cert warning, saying I should either > > > fix it or disable checking. I haven't yet found a way to get Alpine > > > to discriminate between a valid self-signed cert and a bad one. > > > > Like a number of applications, alpine checks the system certificates > > directory for a file containing the server certificate to be > > validated that's named according to its x509 hash. If it finds it, it > > trusts it. > > > > I don't know where Linux distros keep their certs, but on FreeBSD > > it's in /etc/ssl/certs/. If you've no other way to find out, a brute > > force search of the alpine binary should locate it, e.g.: > > > > $ strings $(whence alpine) | grep '^/.*certs$' > > /etc/ssl/certs > > The directory or the certs isn't the problem. Alpine sees the > self-signed cert I just made, but complains because it's self-signed, > and gives me the choice between saying "yes" every time, and just not > checking for certs at all. > > SteveT > > Steve Litt > November 2016 featured book: Quit Joblessness: Start Your Own Business > http://www.troubleshooters.com/startbizOne solution would be to use a Let's Encrypt certificate (that's what I do). Documentation can be found here : * https://certbot.eff.org/docs/using.html#standalone * https://community.letsencrypt.org/t/use-on-non-web-servers/425 -- Simon Doppler (dopsi) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: This is a digitally signed message part. URL: <http://dovecot.org/pipermail/dovecot/attachments/20161123/8feeacc4/attachment.sig>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 23 Nov 2016, Steve Litt wrote:>On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers <gcr+dovecot at tharned.org> wrote: >> $ strings $(whence alpine) | grep '^/.*certs$' >> /etc/ssl/certs > > The directory or the certs isn't the problem. Alpine sees the > self-signed cert I just made, but complains because it's self-signed, > and gives me the choice between saying "yes" every time, and just not > checking for certs at all."sees the self-signed cert"? Did you've added it as trusted to the CA as Greg said and wrote what to do? - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWDaOQ3z1H7kL/d9rAQLRMQgAtKeIMWG+aLn+y9D3EQMUfd21P7oS2xCS 6JuEUo9DfA4DqaoR8f29JiNk9Hjv0LArda3rGCGHKA+XhXrsZLe4FviXJ8ZPxPFp wiA8PnfaXiHi4ctQqz9SjpDr3DpbVlZ/XY563lkQoTlXYrR4ZL9y9wXDqeJKSTth nKwv0ORCi89lVUrRLCZycjZaCJZ9DvuiBftxBl5IUJY8S9/elSgbClcZroF0ej4c ReHp6uiBJzIrtDc3Vm3IfYoUl9C+IpLjhX3C7yQgac28eZ2TbY2tpxycGDOoTTdl saL/qS9MEND6XgKq9pffPcPlTiVWjrwzpHDA2nMbQvloJQ50+gALvA==uLed -----END PGP SIGNATURE-----
On Thu, 24 Nov 2016 07:52:51 +0100 (CET) Steffen Kaiser <skdovecot at smail.inf.fh-brs.de> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, 23 Nov 2016, Steve Litt wrote: > > >On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers > ><gcr+dovecot at tharned.org> wrote: > >> $ strings $(whence alpine) | grep '^/.*certs$' > >> /etc/ssl/certs > > > > The directory or the certs isn't the problem. Alpine sees the > > self-signed cert I just made, but complains because it's > > self-signed, and gives me the choice between saying "yes" every > > time, and just not checking for certs at all. > > "sees the self-signed cert"? > Did you've added it as trusted to the CA as Greg said and wrote what > to do?No. I don't want to deal with a third party "Trusted Party": I want it self-signed. What I was looking for was a way Alpine could be set to check for a cert, warn if the cert is conflicting, but not warn if it's self-signed. Thanks, SteveT Steve Litt November 2016 featured book: Quit Joblessness: Start Your Own Business http://www.troubleshooters.com/startbiz