SSL/TLS certificate verification errors

From Claws Mail FAQ
Jump to: navigation, search

The warning 'No certificate issuer found' during verification is likely to be caused by an unreadable or misconfigured system certificate location.

Claws Mail uses the gnutls library to deal with encryption.

Upon connection the certificate from the server is always checked for validity. It entails checking the whole chain of certificates from the CA root certificate, any intermediate certificates, to the certificate presented by the mail server. For that chained verification to succeed the gnutls library must read the root certificate from the local system (file or directory).

The location of the certificates varies from one distro to the other and if the root CA certificate is unreadable by a user process (i.e. claws-mail) then verification fails with cryptic error messages shown in 'Certificates change' dialogue.

You may see 'No certificate issuer found' then 'Signature: Uncheckable'.

It usually means that gnutls library cannot read the CA root certificate, because, e.g., it is not readable. It can happen that upgrade of a certificates package sets wrong permissions on the file or directory, so that is the first thing to check after seeing such errors. If the file/directory is readable it may be that that one of the intermediate certificates has expired, or that that you really have received a forged certificate.

Listed below are the current (2018) locations of system certificates:

Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt
SUSE: /var/lib/ca-certificates/ca-bundle.pem (file)

Historical known 'standardized' certificate locations:

/usr/share/ssl/certs/
/usr/share/ssl/
/usr/share/ssl/cert.pem (file)
/etc/ssl/certs/
/etc/ssl/certs/ca-bundle.crt (file)
/etc/ssl/certs/ca-certificates.crt (file)
/etc/pki/tls/certs/ca-bundle.crt (file)
/etc/pki/tls/certs/ca-bundle.trust.crt (file)
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/System/Library/OpenSSL/