Weblog entry #2 for Alucard
See all weblog entries made by Alucard.
Jul 25 15:03:41 organa postfix/smtp [1859] : setting up TLS connection to smtp.comcast.net
Jul 25 15:03:41 organa postfix/smtp [1859] : certificate verification failed for smtp.comcast.net: num=20:unable to get local issuer certificate
Jul 25 15:03:41 organa postfix/smtp [1859] : certificate verification failed for smtp.comcast.net: num=27:certificate not trusted
Jul 25 15:03:41 organa postfix/smtp [1859] : Unverified: subject_CN=smtp.comcast.net, issuer=VeriSign Class 3 Secure Server CA
Jul 25 15:03:41 organa postfix/smtp [1859] : TLS connection established to smtp.comcast.net: TLSv1 with cipher AES256-SHA (256/256 bits)
Jul 25 15:03:41 organa postfix/smtp [1859] : 7F874402AB: to=<removed@gmail.com>, relay=smtp.comcast.net [204.127.200.17] :25, delay=1.3, delays=0.08/0.09/0.88/0.28, dsn=2.0.0, status=sent (250 ok ; id=2007072519034101100rpf9fe)Running Etch and postfix (as you can see).
Comments on this Entry
To better understand this error, please read this:
http://httpd.apache.org/docs/2.2/ssl/
It is apache centric, however it explains how all this certification thing works.
[ Parent | Reply to this comment ]
I don't know much about Postfix configuration, but reading through <http://www.postfix.org/TLS_README.html#client_cert_key>;, I did get the impression that you should add the parameter $smtp_tls_CAfile and point it to a file containing the root certificates.
The VeriSign root certificates can be downloaded from <https://www.verisign.com/repository/root.html>;.
[ Parent | Reply to this comment ]
I think I want $smtp_tls_CApath instead, because $smtp_tls_cert_file is only if my server must present a cert to Comcast.
I do have "smtp_tls_CApath = /etc/ssl/certs" in postfix's config, and I do have some Verisign Class 3 certs:
alucard@organa:~$ ls /etc/ssl/certs/ | grep -i verisign_class_3
Verisign_Class_3_Public_Primary_Certification_Authority.pem
Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.pem
Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
Verisign_Class_3_Public_Primary_OCSP_Responder.pemAnd I have run update-ca-certificates.
That said, from Verisign's page there, I seem to be missing the Class 3 PCA - G5 cert, but I don't see a way to download it.
[ Parent | Reply to this comment ]
It isn't easy to locate a way to download the certificates from the page I specified, sorry. Use this link instead: http://www.verisign.com/support/roots.html (which will redirect you to roots.zip). The filename in that archive is C3_PCA_G5_v1.*.
Anyway, you need the "VeriSign Class 3 Secure Server CA" to avoid the error, that's propably the SecureServer.*-file in the archive above. If you extract the file(s) to /etc/ssl/certs/, then remember to make the correct link, otherwise OpenSSL is unable to recognize it.
[ Parent | Reply to this comment ]
/etc/ssl/certs/Verisign_RSA_Secure_Server_CA.pem is the same key as SecureServer.b64. And /etc/ssl/certs/Verisign_Class_3_Public_Primary_Certification_Auth ority_-_G3.pem is the same key as C3_PCA_G3v2.cer.
I tried adding the G5 one, and ran update-ca-certificates (it was turned into facacbc6.0), restarted postfix, and it's still happening.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Ok, debug time. Let's see what comcast is announcing.
$ gnutls-cli -s --print-cert -p 25 smtp.comcast.net
First we'll introduce ourself the old-fashioned way, with EHLO hostname, to which the server will reply with a list of supported commands. We want to encrypt the connection, so we'll write STARTTLS, wait for the server to respond with 220, and then we send an EOF (Ctrl+D on my keyboard) to trigger GnuTLS-cli to do it's magic. Now we get a lot of certificates on the screen, and finally we can start over with a fresh SMTP session (EHLO again, then QUIT).
The first certificate printed is the comcast servers own. It has been issued by C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server CA, which the server is kind enough to present as well, the second one.
The second one is just an intermediate CA, which has been issued by C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority, and you should look for that certificate in your list of trusted certificates (the filename should start with 7651b327). Is that file present?
In other words, no need to install the G5 certificate (yet), it's only used for their Extended Validation certificates, and I forgot that the old Secure Server certificate has been retired and replaced with another certificate issued from their common roots.
[ Parent | Reply to this comment ]
Second, yup:
alucard@organa:/etc/ssl/certs$ ls -Alh *7651b327*
lrwxrwxrwx 1 root root 59 2007-07-27&nbs p;11:06 7651b327.0 -> Verisign_Class_3_Public_P rimary_Certification_Authority.pemAnd is gnutls-cli is good to have, thanks (for anyone wondering it's in the gnutls-bin package).
[ Parent | Reply to this comment ]
Well, more debugging. Unfortunately, GnuTLS-cli does a segmentation fault when I tried to specify my copy of that root CA, so I have changed to OpenSSL:
$openssl s_client -starttls smtp -showcerts -CAfile 7651b327.0 -connect smtp.comcast.net:25
OpenSSL will just forward you to the secured part of the SMTP connection, say EHLO something and QUIT. Notice the last line before we have to speak SMTP again, which says:
Verify return code: 0 (ok)
Then try again, without the -CAfile parameter, and notice how that line is complaining about a self-signed certificate in the chain. I'm beginning to speculate, that maybe Postfix/OpenSSL doesn't honor the CApath-parameter... Could you try again, this time using just the 7651b327.0-file as the CAfile (don't remember the exact parameter name)?
[ Parent | Reply to this comment ]
Huh, that GnuTLS-cli segmentation fault has disappeared again... Strange! Anyway, the debug command is:
$gnutls-cli --starttls --print-cert --x509cafile 7651b327.0 -p 25 smtp.comcast.net
And the key part is the last section which begins like this:
- Peer's certificate is trusted
Compared to this message, when the x509cafile parameter is not specified:
- Peer's certificate issuer is unknown- Peer's certificate is NOT trusted
I'm starting to suspect either Postfix and/or it's OpenSSL integration.
[ Parent | Reply to this comment ]
1.: several of the postfix-services are run chroot-ed, so check if the certificate is present in /var/spool/postfix/etc/ssl/certs/ (either as a hash-linked file, or as part of ca-certificates.crt)
2.: I suspect that those certificates have to be explicitly trusted:
$ openssl -in /etc/ssl/certs/whatever.pem -addtrust serverAuth -out /var/spool/postfix/etc/ssl/certs/whatever.pem
cu
Tim
[ Parent | Reply to this comment ]