I've been meaning to use the aerc mail client on alpine linux, I
currently have two alpine machines, a thinkpad running the latest alpine
linux and a pinephone running postmarket os.
In both of those machines, I try to use my working mail configuration
for my personal email server, the one I'm sending this email from, which
has an SSL certificate uploaded to Let's Encrypt, but it doesn't work in
either of them.
I try running update-ca-certificates with root privileges and get the
following message:
WARNING: ca-certificates.crt does not contain exactly one
certificate or CRL: skipping
Has anyone had to troubleshoot through something similar?
Hi,
On 2022-06-04 10:44:46 +0200, Bosco Vallejo-Nágera wrote:
> I've been meaning to use the aerc mail client on alpine linux, I> currently have two alpine machines, a thinkpad running the latest alpine> linux and a pinephone running postmarket os.> In both of those machines, I try to use my working mail configuration> for my personal email server, the one I'm sending this email from, which> has an SSL certificate uploaded to Let's Encrypt, but it doesn't work in> either of them.> I try running update-ca-certificates with root privileges and get the> following message:> WARNING: ca-certificates.crt does not contain exactly one> certificate or CRL: skipping> Has anyone had to troubleshoot through something similar?
I'm using my own mail server as well (with Let's Encrypt's cert) and it
works fine with mutt. Is your server correctly configured? Does it send
whole certificate chain?
W.
--
There are only two hard things in Computer Science:
cache invalidation, naming things and off-by-one errors.
On Sat Jun 4, 2022 at 10:44 AM CEST, Bosco Vallejo-Nágera wrote:
> I've been meaning to use the aerc mail client on alpine linux, I> currently have two alpine machines, a thinkpad running the latest alpine> linux and a pinephone running postmarket os.> In both of those machines, I try to use my working mail configuration> for my personal email server, the one I'm sending this email from, which> has an SSL certificate uploaded to Let's Encrypt, but it doesn't work in> either of them.> I try running update-ca-certificates with root privileges and get the> following message:> WARNING: ca-certificates.crt does not contain exactly one> certificate or CRL: skipping
this is just an unrelated warning and doesn't really mean anything
> Has anyone had to troubleshoot through something similar?
the server has to send a full chain for it to be valid- you can try
debugging with something like:
openssl s_client -showcerts -starttls smtp -connect yourserver:587
(or whatever port it's really on)
that should print you the chain (and openssl will also try 'validate' it
and say what's wrong). from there, you should see a valid certificate,
and the entire fullchain. if not, the server is misconfigured.
The mail server happens to be alpine too.
I'm using smtpd and dovecot, so if there's anything wrong I don't know
which one to change.
I've tried changin the smtpd cert from the cert to the fullchain, but
that doesn't seem to do the trick.
Dovecot has bot set up. I still don't understand why the config will
work in other system's but not in Alpine
I'm getting the following output when trying to get the fullchain,it
appears to be correct yet it still won't work, I'm skipping the
certificates for keeping this short
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = vallejonagera.xyz
verify return:1
---
Certificate chain
0 s:/CN=vallejonagera.xyz
i:/C=US/O=Let's Encrypt/CN=R3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=vallejonagera.xyz
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 5282 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 580F4A9097C3CE9AADB4427325671FEED940B609CBD7C22868572C61CE4C9C40617564B4A12EE3E2081E882D2EF4EA48
Start Time: 1654449014
Timeout : 7200 (sec)
Verify return code: 0 (ok)