The Accidental Rubyist

invalid byte sequence in UTF-8

Alpine TLS: unable to get local issuer certificate

with 4 comments

Currently, my alpine connects to smtp.gmail.com with the /novalidate-cert option, meaning my password is sent in the clear. The communication is not encrypted. Strangely, I have configured postfix to use TLS with the roots.zip certs. The logs clearly show the TLS handshake. Similarly, fetchmail also shows it is using TLS with gmail.
However, alpine [Alpine 1.10 (OSX 962 2008-03-14)] gives me the “unable to get local issuer certificate” and thus I have to use novalidate-cert.

As per what others have written, I have copied the certs from Keychain Access to /System/Library/OpenSSL as cert.pem. I have verified that the Thawte Certificate used by postfix is in it.

I have used all kinds of options in my .pinerc:
/tls
/ssl
:587
:995/ssl etc. None worked.

Interestingly, I found a suggestion on a page and tried it on the files that postfix uses:
$ openssl verify -CAfile ThawtePremiumServerCA.pem ThawtePremiumServerCA.cer

unable to load certificate
81815:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

Today, I finally found this page.

It suggested running: openssl version -d to see where openssl looks for cert.pem. That gave me /opt/local/etc/openssl and not /System/Library/OpenSSL. I placed the cert.pem file there and immediately alpine worked (without novalidate-cert)!

However, I start alpine in debug mode: alpine -d tcp,imap=4 and there’s a lot of stuff about writing to SSL etc but also this:

IMAP DEBUG 12:56:22 9/1: 250-AUTH LOGIN PLAIN

IMAP DEBUG 12:56:21 9/1: 220 2.0.0 Ready to start TLSIMAP DEBUG 12:56:22 9/1: EHLO [192.168.1.3]
IMAP 12:56:22 9/1 mm_log tcp: Writing to SSL
IMAP 12:56:22 9/1 mm_log tcp: successfully wrote to TCP
IMAP 12:56:22 9/1 mm_log tcp: Reading SSL data
IMAP 12:56:22 9/1 mm_log tcp: Successfully read SSL data
IMAP DEBUG 12:56:22 9/1: 250-mx.google.com at your service, [122.162.156.222]
IMAP DEBUG 12:56:22 9/1: 250-SIZE 28311552
IMAP DEBUG 12:56:22 9/1: 250-8BITMIME
IMAP DEBUG 12:56:22 9/1: 250-AUTH LOGIN PLAIN
IMAP DEBUG 12:56:22 9/1: 250 ENHANCEDSTATUSCODES
Opened SMTP server “gmail-smtp.l.google.com”
IMAP DEBUG 12:56:22 9/1: RSET

The mail went through fine. But did proper authentication happen? I also found this in the debug file:

IMAP 12:56:22 9/1 mm_log tcp: successfully wrote to TCP
IMAP 12:56:22 9/1 mm_log tcp: Reading SSL data
IMAP 12:56:23 9/1 mm_log tcp: Successfully read SSL data
IMAP DEBUG 12:56:23 9/1: 530-5.5.1 Authentication Required. Learn more at
IMAP DEBUG 12:56:23 9/1: 530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 j5sm10042
202tid.12

As a side note, I also tried putting the sslfingerprint in my fetchmailrc after running the command:
openssl x509 -in c33a80d4.0 -noout -fingerprint
### c33a80d4.0 -> ThawtePremiumServerCA.pem

Fetchmail did not run with the sslfingerprint “xxx” setting.
I am trying to figure out where fetchmail logs.

Anyone using alpine, please check the madboa pine/ssl page.


6. You can make money without doing evil.
— seen on http://www.google.com/corporate/tenthings.html

Advertisements

Written by totalrecall

September 1, 2008 at 2:57 pm

Posted in unix

4 Responses

Subscribe to comments with RSS.

  1. Great tip – though I have no idea how to fetch the cert manually, I at least now am one step closer to fixing my (same) problem. Cheers! 🙂

    Jan

    September 24, 2008 at 1:35 am

  2. Please get the roots.zip file from here:
    http://www.thawte.com/roots/index.html

    You can google for “certificates roots.zip” and get some links. They all point here.

    totalrecall

    September 24, 2008 at 8:36 am

  3. You’re wrong that novalidate-cert means your password is sent in the clear. It just means that if you use SSL you won’t verify the remote server certificate against a root set of certificates. This prevents simple eavesdropping on your connection, but opens you up to a man in the middle attack.

    Nick

    October 27, 2010 at 1:00 pm

  4. […] Alpine TLS: unable to get local issuer certificate September 20083 comments 4 […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: