On Thu, 9 May 2002, Thaddeus Parkinson wrote:
<SNIP>
> Things that catch my eye are the lines complaining about no CA data, and
> then, obviously, the SSL3 alert write:fatal:unknown. I don't think
> they're inter-related, since a self-signed cert should be sufficient
> for testing. Is it possible that my certificate just isn't
> good? Running 'openssl verify' on it only returns complaints about it
> being self-signed. Heck, should I take this plea to the OpenSSL
> lists? (which, btw, I am using v0.9.6c)
</SNIP>
I'll admit, I barely skimmed your post, but try this just to rule out a
problem with the cert itself... Here's how I do it:
Change this line in /usr/local/ssl/misc/CA.pl from this:
system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
to this:
system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
and this:
system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
to this:
system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
then:
cd /usr/local/ssl
misc/CA.pl -newca
misc/CA.pl -newreq
misc/CA.pl -sign
cp demoCA/cacert.pem /var/imap/CAcert.pem
cp newcert.pem /var/imap/cert.pem
cp newreq.pem /var/imap/key.pem
Then remove the request part from /var/imap/key.pem, leaving just the key.
Then add these to /etc/imapd.conf
tls_cert_file: /var/imap/cert.pem
tls_key_file: /var/imap/key.pem
tls_ca_file: /var/imap/CAcert.pem
...and that's about it. I always had on and off trouble with just a plain
old self-signed cert, been doing this since, works great with cyrus and
with sendmail.
Jason
--
Jason Englander
[EMAIL PROTECTED]
