Bug #6687
closed
Secure email fails with private CA
0%
Description
If a private CA such as a self signed enterprise CA is in use, the CA is not recognized when establishing SMTP connections even though the CA certificate has been imported in System / Certificate Manager / CAs.
The reason for this is that the imported CA certificate is not stored in a location/manner available to OpenSSL. One solution (there may be others) to this issue is to append imported CA certificates to /usr/local/share/certs/ca-root-nss.crt.
Updated by Kill Bill over 7 years ago
Any attempts to do certificate validation here should be completely optional here (as in, a separate checkbox). Way too many mailservers have self-signed certificates or certificates that don't validate in one way or the other.
Updated by Denny Page over 7 years ago
The concept of an option to ignore certificate validation is completely unrelated to this issue.
Updated by Ross Williams about 7 years ago
I am interested in implementing a related feature that allows a "private CA" to be installed as a trusted root that is validated against when performing package updates. Appending to the ca-root-nss.crt file gets the job done, but is bad(tm) because that file belongs to an installed package. The better solution is to create a directory under /usr/local/etc/ssl called /usr/local/etc/ssl/crt and then configure OpenSSL to look there for additional certs.
I'm imagining that putting the OpenSSL environment variables that cause cURL to use that certs directory at the earliest point possible in the init process would also cause most other OpenSSL-based applications to also look for additional certs. Is this still an issue for you, Denny?
Updated by Jim Pingle over 4 years ago
- Category set to Notifications
- Status changed from New to Duplicate