Hi, apologies for the delay, your response did an ACME ink on me :)
Camaleón (noela...@gmail.com on 2011-07-24 16:48 +0000): > On Sun, 24 Jul 2011 17:35:10 +0200, Arno Schuring wrote: > > > does anyone here have experience with adding CA certificates to > > Debian? My ISP is using "USERTrust Legacy Secure Server CA" as its > > issuer and that CA does not appear to be included in > > ca-certificates. > > (...) > > > Now, according to /usr/share/doc/ca-certificates/README.Debian I > > should be able to drop this certificate > > in /usr/local/share/ca-certificates, run update-ca-certificates and > > be done with it. But this does not appear to be sufficient, because > > I still get this: > > (...) > > Just for testing purposes... have you tried to drop the cert file > under "/usr/share/ca-certificates" (I mean, instead using the > "local" dir) and then run "update-ca-certificates"? Yes. Dropping it there had no effect, until I explicitly added the filename to ca-certificates.conf. Then, it had the same effect as adding it to /usr/local (I actually went that route before RTFM, as a good admin should :) > > (...) > > > :~/tst$ openssl > > verify /etc/ssl/certs/USERTrustLegacySecureServerCA.pem > > /etc/ssl/certs/USERTrustLegacySecureServerCA.pem: > > OK > > ls -l /etc/ssl/certs | grep -i usertrust lrwxrwxrwx 1 root root 33 Jul 24 17:30 cf831791.0 -> USERTrustLegacySecureServerCA.pem lrwxrwxrwx 1 root root 66 Jul 24 17:30 USERTrustLegacySecureServerCA.pem -> /usr/local/share/ca-certificates/USERTrustLegacySecureServerCA.crt To make matters more interesting, it would appear that fetchmail accepts the certificate even though openssl still complains that it is unable to verify the signature. I've now done the same test with gmail's service, and I get roughly the same result: $ openssl s_client -connect pop.gmail.com:995 -showcerts CONNECTED(00000003) depth=1 /C=US/O=Google Inc/CN=Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 $ openssl s_client -connect pop.gmail.com:995 -showcerts -CApath /etc/ssl/certs CONNECTED(00000003) depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=1 /C=US/O=Google Inc/CN=Google Internet Authority verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com verify return:1 So I guess the original question is solved, "put the certificate in /usr/local/share/ca-certificates" is really the correct solution. But then there are two more questions open: - why does openssl respond differently when I specify a CApath that should be the system default? - what is the correct way to check whether a ca-certificate is installed correctly? Regards, Arno -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110726212247.52d8a...@neminis.loos.site
