~alpine/users

5 3

Mail SSL on alpine linux

Bosco Vallejo-Nágera <bosco@vallejonagera.xyz>
Details
Message ID
<CKH7UOGY6G5S.1MCYMKG4UNLI3@MacBook-Pro-de-Bosco.local>
DKIM signature
missing
Download raw message
I've been meaning to use the aerc mail client on alpine linux, I
currently have two alpine machines, a thinkpad running the latest alpine
linux and a pinephone running postmarket os.
In both of those machines, I try to use my working mail configuration
for my personal email server, the one I'm sending this email from, which
has an SSL certificate uploaded to Let's Encrypt, but it doesn't work in
either of them.
I try running update-ca-certificates with root privileges and get the
following message:
    WARNING: ca-certificates.crt does not contain exactly one
    certificate or CRL: skipping
Has anyone had to troubleshoot through something similar?
Details
Message ID
<YptZ+nPpzcufu+37@ws>
In-Reply-To
<CKH7UOGY6G5S.1MCYMKG4UNLI3@MacBook-Pro-de-Bosco.local> (view parent)
DKIM signature
missing
Download raw message
Hi,

On 2022-06-04 10:44:46 +0200, Bosco Vallejo-Nágera wrote:
> I've been meaning to use the aerc mail client on alpine linux, I
> currently have two alpine machines, a thinkpad running the latest alpine
> linux and a pinephone running postmarket os.
> In both of those machines, I try to use my working mail configuration
> for my personal email server, the one I'm sending this email from, which
> has an SSL certificate uploaded to Let's Encrypt, but it doesn't work in
> either of them.
> I try running update-ca-certificates with root privileges and get the
> following message:
>     WARNING: ca-certificates.crt does not contain exactly one
>     certificate or CRL: skipping
> Has anyone had to troubleshoot through something similar?

I'm using my own mail server as well (with Let's Encrypt's cert) and it
works fine with mutt. Is your server correctly configured? Does it send
whole certificate chain?

W.

-- 
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
Details
Message ID
<CKHE4LOPEXLP.TF1JE6YCORR2@sumire>
In-Reply-To
<CKH7UOGY6G5S.1MCYMKG4UNLI3@MacBook-Pro-de-Bosco.local> (view parent)
DKIM signature
missing
Download raw message
On Sat Jun 4, 2022 at 10:44 AM CEST, Bosco Vallejo-Nágera wrote:
> I've been meaning to use the aerc mail client on alpine linux, I
> currently have two alpine machines, a thinkpad running the latest alpine
> linux and a pinephone running postmarket os.
> In both of those machines, I try to use my working mail configuration
> for my personal email server, the one I'm sending this email from, which
> has an SSL certificate uploaded to Let's Encrypt, but it doesn't work in
> either of them.
> I try running update-ca-certificates with root privileges and get the
> following message:
>     WARNING: ca-certificates.crt does not contain exactly one
>     certificate or CRL: skipping
this is just an unrelated warning and doesn't really mean anything
> Has anyone had to troubleshoot through something similar?

the server has to send a full chain for it to be valid- you can try
debugging with something like:

openssl s_client -showcerts -starttls smtp -connect yourserver:587

(or whatever port it's really on)

that should print you the chain (and openssl will also try 'validate' it
and say what's wrong). from there, you should see a valid certificate,
and the entire fullchain. if not, the server is misconfigured.
Bosco Vallejo-Nágera <bosco@vallejonagera.xyz>
Details
Message ID
<CKHIXTFSIX5C.3IGHKLSUJZLRA@MacBook-Pro-de-Bosco.local>
In-Reply-To
<CKHE4LOPEXLP.TF1JE6YCORR2@sumire> (view parent)
DKIM signature
missing
Download raw message
The mail server happens to be alpine too.
I'm using smtpd and dovecot, so if there's anything wrong I don't know
which one to change.
I've tried changin the smtpd cert from the cert to the fullchain, but
that doesn't seem to do the trick.
Dovecot has bot set up. I still don't understand why the config will
work in other system's but not in Alpine
Bosco Vallejo-Nágera <bosco@vallejonagera.xyz>
Details
Message ID
<CKIDAJPFCSZS.QL2OW12U75SZ@MacBook-Pro-de-Bosco.local>
In-Reply-To
<YptZ+nPpzcufu+37@ws> (view parent)
DKIM signature
missing
Download raw message
I'm getting the following output when trying to get the fullchain,it
appears to be correct yet it still won't work, I'm skipping the
certificates for keeping this short

CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = vallejonagera.xyz
verify return:1
---
Certificate chain
 0 s:/CN=vallejonagera.xyz
   i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=vallejonagera.xyz
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5282 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 580F4A9097C3CE9AADB4427325671FEED940B609CBD7C22868572C61CE4C9C40617564B4A12EE3E2081E882D2EF4EA48
    Start Time: 1654449014
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
Bosco Vallejo-Nágera <bosco@vallejonagera.xyz>
Details
Message ID
<CKLJ4R4FFIH7.3S96VK87T9V9C@thinkpad>
In-Reply-To
<CKHE4LOPEXLP.TF1JE6YCORR2@sumire> (view parent)
DKIM signature
missing
Download raw message
It was the dovecot settings in my server. Apologies for the nuisance.
I had the cert instead of the fullchain
Reply to thread Export thread (mbox)