[SOLVED] suddenly ca-cert isn't trusted anymore

gorillus · 09-28-2011, 02:45 PM

Some days ago I was able to send mails with mutt/msmtp, but today I got (with msmtp -d):

Code:

msmtp: TLS certificate verification failed: the certificate is not trusted
msmtp: could not send mail (account arcor from /home/xxx/.msmtprc)
ignoring system configuration file /etc/msmtprc: Datei oder Verzeichnis nicht gefunden
loaded user configuration file /home/xxx/.msmtprc
using account arcor from /home/xxx/.msmtprc
host                  = mail.arcor.de
port                  = 25
timeout               = off
protocol              = smtp
domain                = localhost
auth                  = choose
user                  = xxx
password              = *
ntlmdomain            = (not set)
tls                   = on
tls_starttls          = on
tls_trust_file        = /etc/ssl/certs/ca-certificates.crt
tls_crl_file          = (not set)
tls_fingerprint       = (not set)
tls_key_file          = (not set)
tls_cert_file         = (not set)
tls_certcheck         = on
tls_force_sslv3       = on
tls_min_dh_prime_bits = (not set)
tls_priorities        = (not set)
auto_from             = off
maildomain            = (not set)
from                  = xxx@arcor.de
dsn_notify            = (not set)
dsn_return            = (not set)
keepbcc               = off
logfile               = /home/xxx/.msmtp.log
syslog                = (not set)
reading recipients from the command line
<-- 220 mail-in-11.arcor-online.net ESMTP arcor.de Mailservices usermail^M
--> EHLO localhost^M
<-- 250-mail-in-11.arcor-online.net^M
<-- 250-PIPELINING^M
<-- 250-SIZE 48000000^M
<-- 250-ETRN^M
<-- 250-STARTTLS^M
<-- 250-AUTH PLAIN LOGIN^M
<-- 250-AUTH=PLAIN LOGIN^M
<-- 250-ENHANCEDSTATUSCODES^M
<-- 250-8BITMIME^M
Ausgabe des Auslieferungs-Prozesses (96%)                                                   
Fehler 69 beim Versand der Nachricht (Service unavailable.).

I use Slackware 13.37 and didn't changed anything since the last e-mail...

my .msmtprc:

Code:

  # Set default values for all following accounts.
     defaults
     tls_trust_file /etc/ssl/certs/ca-certificates.crt
     tls on
     logfile ~/.msmtp.log
     
     # Arcor
     account arcor 
     host mail.arcor.de
     from xxx@arcor.de
     auth on
     user xxx 
     password *******
     
    

     # Set a default account
     account default : arcor

Code:

msmtp --serverinfo --host=mail.arcor.com --tls=on --tls-certcheck=off

tells me:

Code:

msmtp --serverinfo --host=mail.arcor.de --tls=on --tls-certcheck=off
SMTP server at mail.arcor.de (mail.arcor-online.net [151.189.21.116]), port 25:
    mail-in-11.arcor-online.net ESMTP arcor.de Mailservices usermail
TLS certificate information:
    Owner:
        Common Name: mail.arcor.de
        Organization: Vodafone D2 GmbH
        Locality: Duesseldorf
        State or Province: NRW
        Country: DE
    Issuer:
        Common Name: Thawte SSL CA
        Organization: Thawte, Inc.
        Country: US
    Validity:
        Activation time: Mo 26 Sep 2011 02:00:00 CEST
        Expiration time: Sa 26 Sep 2015 01:59:59 CEST
    Fingerprints:
        SHA1: 97:13:7B:28:89:1C:66:57:3B:A9:DB:4C:CF:1B:B1:1C:8E:09:D5:A5
        MD5:  0F:D7:FE:C0:B9:43:CE:FF:A6:DB:C2:80:6B:34:F3:AB
Capabilities:
    SIZE 48000000:
        Maximum message size is 48000000 bytes = 45,78 MiB
    PIPELINING:
        Support for command grouping for faster transmission
    ETRN:
        Support for RMQS (Remote Message Queue Starting)
    DSN:
        Support for Delivery Status Notifications
    STARTTLS:
        Support for TLS encryption via the STARTTLS command
    AUTH:
        Supported authentication methods:
        PLAIN LOGIN

Any help? (Could it be that ca-certificates is not up to date?)

audriusk · 09-29-2011, 03:52 AM

Could you run msmtp with LANG=C?

Code:

$ LANG=C msmtp -d

It's hard to understand error messages when one doesn't speak German.

I also doubt this is the problem with certificate, as I was able to connect to this SMTP server using openssl without any problems:

Code:

$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.arcor.de:smtps
<skipped openssl output>
---
220 mail-in-14.arcor-online.net ESMTP arcor.de Mailservices usermail
quit
221 2.0.0 Bye
read:errno=0

On the other hand, the certificate on that server was issued quite recently...

Code:

    Validity:
        Activation time: Mo 26 Sep 2011 02:00:00 CEST
        Expiration time: Sa 26 Sep 2015 01:59:59 CEST

Wim2 · 09-29-2011, 09:29 AM

Hi gorillus,
arcor got a new ca-certifcate on the 26 September 2011 (see the output of msmtp --serverinfo --host=mail.arcor.com --tls=on --tls-certcheck=off). New certificates for mail.arcor.de are available here: ftp://ftp.arcor.de/pub/certs/. You'll need the mail.arcor.de.crt file.

Then:
Compute the MD5 sum and store it in a file: md5sum mail.arcor.de.crt > arcor.md5
Check for validity with: md5sum -c arcor.md5
You should get: mail.arcor.de.crt: OK

Under Debian according to the documentation:
If you want to install local certificate authorities to be implicitly trusted, please put the certificate files as single files ending with “.crt“ into “/usr/local/share/ca-certificates” and re-run “update-ca-certificates”.

I presume there some similar mechanism under slackware to install a certificate.
Hope that helps.
Wim2.

gorillus · 09-29-2011, 10:47 AM

Thank you both! The mail.arcor.de.cert worked :-D Sorry for the German language - The German parts are not that important, that's why I left them