Difference between revisions of "SSL/TLS certificate verification errors"
('No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.) |
m |
||
| Line 2: | Line 2: | ||
| − | Claws Mail uses gnutls | + | Claws Mail uses the gnutls library to deal with encryption. |
| − | Upon connection certificate from the server is always checked for validity. It entails | + | Upon connection the certificate from the server is always checked for validity. It entails |
| − | checking whole chain of certificates from CA root certificate, | + | checking the whole chain of certificates from the CA root certificate, any intermediate |
| − | + | certificates, to the certificate presented by the mail server. For that chained verification to | |
| − | succeed | + | succeed the gnutls library must read the root certificate from the local system (file or directory). |
| − | + | The location of the certificates varies from one distro to the other | |
| − | and if root CA certificate is unreadable by | + | and if the root CA certificate is unreadable by a user process (i.e. claws-mail) then verification fails with |
| − | cryptic error messages shown in 'Certificates change' | + | cryptic error messages shown in 'Certificates change' dialogue. |
| − | You may see | + | You may see 'No certificate issuer found' then 'Signature: Uncheckable'. |
| − | It usually means that | + | It usually means that gnutls library cannot read the CA root certificate, |
| − | because | + | because, e.g., it is not readable. It can happen that upgrade of a certificates package sets wrong |
| − | permissions on the | + | permissions on the file or directory, so that is the first thing to check after seeing such |
| − | errors. If the | + | errors. If the file/directory is readable it may be that that one of the intermediate certificates has expired, |
| − | certificate | + | or that that you really have received a forged certificate. |
| − | + | Listed below are the current (2018) locations of system certificates: | |
| − | |||
| − | |||
<pre> | <pre> | ||
| + | Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt | ||
SUSE: /var/lib/ca-certificates/ca-bundle.pem (file) | SUSE: /var/lib/ca-certificates/ca-bundle.pem (file) | ||
| − | |||
| − | |||
</pre> | </pre> | ||
| − | Historical known 'standardized' | + | Historical known 'standardized' certificate locations: |
<pre> | <pre> | ||
/usr/share/ssl/certs/ | /usr/share/ssl/certs/ | ||
Revision as of 16:11, 29 March 2018
TL;DR 'No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.
Claws Mail uses the gnutls library to deal with encryption.
Upon connection the certificate from the server is always checked for validity. It entails checking the whole chain of certificates from the CA root certificate, any intermediate certificates, to the certificate presented by the mail server. For that chained verification to succeed the gnutls library must read the root certificate from the local system (file or directory).
The location of the certificates varies from one distro to the other and if the root CA certificate is unreadable by a user process (i.e. claws-mail) then verification fails with cryptic error messages shown in 'Certificates change' dialogue.
You may see 'No certificate issuer found' then 'Signature: Uncheckable'.
It usually means that gnutls library cannot read the CA root certificate, because, e.g., it is not readable. It can happen that upgrade of a certificates package sets wrong permissions on the file or directory, so that is the first thing to check after seeing such errors. If the file/directory is readable it may be that that one of the intermediate certificates has expired, or that that you really have received a forged certificate.
Listed below are the current (2018) locations of system certificates:
Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt SUSE: /var/lib/ca-certificates/ca-bundle.pem (file)
Historical known 'standardized' certificate locations:
/usr/share/ssl/certs/ /usr/share/ssl/ /usr/share/ssl/cert.pem (file) /etc/ssl/certs/ /etc/ssl/certs/ca-bundle.crt (file) /etc/ssl/certs/ca-certificates.crt (file) /etc/pki/tls/certs/ca-bundle.crt (file) /etc/pki/tls/certs/ca-bundle.trust.crt (file) /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /System/Library/OpenSSL/
