search for: certs

....de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wed, 23 Nov 2016, Steve Litt wrote: > > >On Wed, 23 Nov 2016 16:04:22 -0600 (CST) Greg Rivers > ><gcr+dovecot at tharned.org> wrote: > >> $ strings $(whence alpine) | grep '^/.*certs$' > >> /etc/ssl/certs > > > > The directory or the certs isn't the problem. Alpine sees the > > self-signed cert I just made, but complains because it's > > self-signed, and gives me the choice between saying "yes" every > > time, and j...

I've read the client ssl cert section in the wiki and it talks about using a self signed cert, if I am using a commercial cert, in this case godaddy, how do I implement a self signed cert for the client side and have dovecot make use of this? I know the mechanics of setting up the self signed ca, the question is more what configuration changes do I need to make in dovecot to handle both

...he, I discovered that the localhost cert created (I believe) during firstboot has the X509v3 extensions set as a CA cert (eg basicConstraint CA:TRUE). I was once very involved in PKIX and legal issues on certificate policy. Having the localhost cert being a CA cert, thus allowed to sign other certs, MAY have legal implications in the USofA and EU. Why was this chosen? Why is not -extensions v3_req used in the certificate creation? Oh you can see this for yourself with: openssl x509 -in /etc/pki/certs/localhost.crt -text -nameopt multiline -noout|more

I use OpenSSH server on an embedded arm using GCC7 cross toolchain. I found that spamming connection attempts sometimes causes aborts in sshd. Upon getting this up in gdb I found that the pointer subtraction inside openbsd-compat/{strlcat.c,strlcpy.c} (and maybe elsewhere) causes the 32 bit pointer difference to wrap which triggers the abort because of the -ftrapv option. This example illustrates

After upgrading to 2.31 I'm getting this error. Not sure what I'm doing wrong. No (No signatures could be verified because the chain contains only one certificate and it is not self signed.) ssl = yes ssl_cert = </etc/exim/certs/ctyme.com.crt ssl_key = </etc/exim/certs/ctyme.com.key ssl_ca = </etc/exim/certs/ca.crt local mail.ctyme.com { ? protocol imap { ??? ssl_cert = </etc/exim/certs/ctyme.com.crt ??? ssl_key = </etc/exim/certs/ctyme.com.key ??? ssl_ca = </etc/exim/certs/ca.crt ? } ? protocol pop...

Hi there! What am I doing wrong? I created a ssh-certificate id_user_rsa-cert.pub with this dump: id_user_rsa-cert.pub: root at host # ssh-keygen -Lf id_user_rsa-cert.pub ??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate ??????? Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk ??????? Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs ??????? Key ID:

Hi, I'm trying to get apache, sendmail , and dovecot to use SSL certs signed by my own CA. I've got the apache certs working fine. However, dovecot ( I haven't even tried sendmail yet) doesn't seem to accept any of the certificates that I create for it. There is a script that comes with dovecot that creates self-signed certificates for you but, I need cer...

Thanks for the response. My current chain is as follows: caroot -> child-ca1 -> server cert My cacert.pem file has both the caroot and the child-ca1 certs. I have recompiled libvirt on my machine with some extra debug statements and verified that both the caroot cert and the child-ca1 certs are being loaded. But when I try to connect the caroot and child-ca1 certs only appear under the "Acceptable client certificate CA names" not the certif...

Hi, One of our users who is running an OS (I think it's the latest beta macOS 10.14.1) with ssh version "OpenSSH_7.8p1, LibreSSL 2.7.3" is unable to use our user SSH RSA certificates to authenticate to our servers (which are running "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017"). We see this error on the client side: debug1: kex_input_ext_info:

...cot cert, > > Exact message please? The certificate does not apply to the given host The certificate is not signed by any trusted certificate authority >> Do I really have to use a separate cert and key for dovecot? >> Can I not use the "standard" cert in /etc/pki/tls/certs (and key) >> from CACert.org ? > > Post the certificate only, not the private key. I've looked at the cert and key and they look ok for what they are, a self-signed certificate and key, as created (years ago) following the instructions in the dovecot installation instructions. I&...

...t; > Like a number of applications, alpine checks the system certificates > directory for a file containing the server certificate to be > validated that's named according to its x509 hash. If it finds it, it > trusts it. > > I don't know where Linux distros keep their certs, but on FreeBSD > it's in /etc/ssl/certs/. If you've no other way to find out, a brute > force search of the alpine binary should locate it, e.g.: > > $ strings $(whence alpine) | grep '^/.*certs$' > /etc/ssl/certs The directory or the certs isn't the problem. A...

...562d0a6f15dcb37' - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed I have checked the certificate with: openssl verify -verbose -CAfile /etc/ssl/certs/ca-chain.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem: OK and also with: openssl verify -verbose -CAfile /etc/ssl/certs/mail.novanetwork.local.cert.pem /etc/ssl/certs/mail.novanetwork.local.cert.pem /etc/ssl/certs/mail.novanetwork.local...

...The primary and secondary both use the primary as their master. The secondary only is used when the primary isn''t responding (I wrap the puppetd call in cron with a short shell script) I''m managing these ca files on the masters, pushing them with puppet itself... $ grep file\ { certs.pp file { "/var/lib/puppet/ssl/ca/ca_crt.pem": file { "/var/lib/puppet/ssl/ca/ca_key.pem": file { "/var/lib/puppet/ssl/ca/private/ca.pass": file { "/var/lib/puppet/ssl/certs/ca.pem": file { "/var/lib/puppet/ssl/ca/ca_crl.pem": (...

...pgrading to 2.31 I'm getting this error. Not sure what I'm doing wrong. No (No signatures could be verified because the chain contains only one certificate and it is not self signed.) ssl = yes ssl_cert = </etc/exim/certs/ctyme.com.crt ssl_key = </etc/exim/certs/ctyme.com.key ssl_ca = </etc/exim/certs/ca.crt local mail.ctyme.com { ? protocol imap { ??? ssl_cert = </etc/exim/certs/ctyme.com.crt ??? ssl_key = </etc/exim/certs/ctyme.com.key ??...

...thorizations (and? more importantly, remove them when no longer authorized).? If you're going to do that, it's not too far removed from pushing out ~/.ssh/authorized_keys for each user. I was hoping to avoid the dependency on configuration management by carrying the authorization in the certs themselves - if that is in the spirit of the SSH cert mechanism. On 30/01/2020 16:05, Michael Str?der wrote: > Adding authz information to user certs means that you need to renew the > cert if the authz information changes during cert life-time. This can be > annoying for users. > &g...

...ing failed: > ??no matching domain name found in certificate' > So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI, > there is a newer version upstream though. > > > I myself checked the server's behaviour with openssl: > > $ openssl s_client -showcerts?-connect IP-address:993 > > and > > $ openssl s_client -showcerts?-connect IP-address:993 -servername > imap.domain > > > I'm totally clueless about how come. > > Best regards > Martin Johannes Dauser > > > > > # 2.2.10: /etc/dovecot/dovecot.conf...

...ccess via a firewall ACL to TLS connect ports (993/995) we can't do so on port 110/143. The problem is that some clients now are smart enough to look for an offered STARTTLS or STLS, and if it's offered, they try to use it. While not normally a problem if your setup for SSL with valid key/certs, if you have a self signed or no CERT at all, it starts connection warnings and errors on the client side. So is there any way possible to turn off advertising of TLS on port or turn it off/on per IP? Something like: ssl = yes ssl_cert = </etc/ssl/cert/default.pem ssl_key = </etc/ssl/cer...

I've installed LE certs on my Dovecot a while back, and, it has been working OK since, but, today, an iPhone user said he can't get emails as iphone says 'cert is expired', searching around, I see some other iPhone similar issues reported, do I have my conf correct, I have; # cat dovecot.conf | grep ssl ssl =...

...tephan von Krawczynski <skraw at ithnet.com> wrote: > > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > Joseph Tam <jtam.home at gmail.com> wrote: > >> Michael Felt <michael at felt.demon.nl> writes: >> >>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is >>>> written in pure shell script, so no python dependencies. >>>> https://github.com/Neilpang/acme.sh >>> >>> Thanks - I might look at that, but as Ralph mentions in his reply - >>> Let's encrypt certs are only for t...

...> > After all server configuration, I notice that there are ca.pem, > > cert.pem > > and key.pem on /usr/local/samba/private/tls directory. I realize the > > ca.pem > > and cert.pem have 2 years validity. Will Samba AD/DC generate > > automatically > > new certs before this time over? Or, must I have to generate them > > manually? > > No, they will need be automatically renewed. > > So yes, you need to generate them manually. > > The original intention was that the certificates be replaced by the > administrator. > > Howeve...