Deutsch English Français Italiano |
<87ttcbly3k.fsf@example.com> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder2.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Wolfgang Agnes <wagnes@example.com> Newsgroups: comp.unix.bsd.freebsd.misc,comp.mail.sendmail Subject: adding CA certificates (for use by sendmail) Followup-To: comp.mail.sendmail Date: Tue, 12 Nov 2024 22:30:07 -0300 Organization: A noiseless patient Spider Lines: 74 Message-ID: <87ttcbly3k.fsf@example.com> MIME-Version: 1.0 Content-Type: text/plain Injection-Date: Wed, 13 Nov 2024 02:30:13 +0100 (CET) Injection-Info: dont-email.me; posting-host="28366000ab524cbe2c77653d04aed304"; logging-data="1978682"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19q9KEY2sudqnHgwaFJkYXtpPniki6DsvM=" Cancel-Lock: sha1:DjUTelt9lqjTSMW2I9oYwxwujJM= sha1:9WlQ/jz1qLSWcFccr1rk+pCbRpc= Bytes: 4121 (*) Follow-up-to It's not easy to decide where I should ask a FreeBSD group or sendmail one. I'm posting to both, but suggesting a follow-up-to comp.mail.sendmail. (*) Question I'm particularly interested---due to curiosity and my education on the subject---in the following sendmail message in maillog: --8<-------------------------------------------------------->8--- Nov 12 08:27:39 antartida sm-mta[72775]: STARTTLS=client, cert-subject=/CN=mx.google.com, cert-issuer=/C=US/O=Google+20Trust+20Services/CN=WR2, verifymsg=unable to get issuer certificate --8<-------------------------------------------------------->8--- My intuition says the system doesn't have the certificate for the CN mx.google.com. If my intuition is totally wrong, feel free to stop reading right here. The hostname connecting to my sendmail that generated that line above is aspmx.l.google.com So I tried (as a guess) to connect to this host on port 25, saying STARTTLS and fetching the certificates that came. Because sendmail is my primary concern, I installed these certificates in /etc/mail/certs. I was afraid that if they were outside of /etc/mail, sendmail would refuse to read them. And if my operation were not successful in this conservative approach, then it would be a waste of time to try to move these cerficates outside of /etc/mail, so I did not even try that because I did not succeed in avoiding the message ``unable to get issuer certificate''. I found got three certificates with the -showcerts option by OpenSSL. They were GTS_Root_R1_2028.pem---this expires in 2028, but I already had one for GTS Root R1 that expires in 2036---, GTS_WR2_RSA.pem and GTS_WR2_EC.pem. I obtained them with openssl s_client -connect aspmx.l.google.com:25 \ -starttls smtp \ -showcerts </dev/null I obtained the hash of each certificate with, for example, openssl x509 -noout -hash < GTS_Root_R1_2028.pem Then I created the symbolic links using these hash as ls shows below. # pwd /etc/mail/certs # ls -l total 88 lrwxr-xr-x 1 root wheel 20 Nov 12 08:26 1001acf7.0 -> GTS_Root_R1_2028.pem lrwxr-xr-x 1 root wheel 10 Nov 1 14:17 382a9cdc.0 -> cacert.pem lrwxr-xr-x 1 root wheel 15 Nov 12 08:26 3c8b39ef.0 -> GTS_WR2_RSA.pem lrwxr-xr-x 1 root wheel 19 Nov 12 07:48 462422cf.0 -> ca-lets-encrypt.pem lrwxr-xr-x 1 root wheel 14 Nov 12 08:26 6264a34a.0 -> GTS_WR2_EC.pem -rw-r--r-- 1 root wheel 1566 Nov 10 07:44 ca-lets-encrypt.pem -rw-r--r-- 1 root wheel 1318 Nov 1 14:17 cacert.pem -rw-r--r-- 1 root wheel 1927 Nov 12 08:25 GTS_Root_R1_2028.pem -r--r--r-- 1 root wheel 7395 Nov 12 08:25 GTS_Root_R1.pem -rw-r--r-- 1 root wheel 2407 Nov 12 08:25 GTS_WR2_EC.pem -rw-r--r-- 1 root wheel 1809 Nov 12 08:25 GTS_WR2_RSA.pem -rw-r--r-- 1 root wheel 1350 Nov 1 14:17 host.cert.original -rw-r--r-- 1 root wheel 2835 Nov 8 21:15 host.cert.pem -rw------- 1 root wheel 1704 Nov 1 14:17 host.key.original -rw------- 1 root wheel 241 Nov 8 21:15 host.key.pem But that did not change those log messages. I don't know how to debug sendmail to the point of seeing which files it is reading. Thanks for any advice you might have.