SSL/TLS certificate verification errors

From Claws Mail FAQ
Revision as of 15:56, 29 March 2018 by Ohir (Talk | contribs) ('No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.)

Jump to: navigation, search

TL;DR 'No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.


Claws Mail uses gnutls or openssl libraries to deal with encryption (via libetpan dependency).

Upon connection certificate from the server is always checked for validity. It entails checking whole chain of certificates from CA root certificate, through any intermediate certificate to the one presented by the mail server. For that chained verification to succeed ssl libraries must read root certificate from a local system store (file or dir).

Location of this certificates store varies significantly from one distro to the other and if root CA certificate is unreadable by an user process (i.e. claws-mail) then verification fails with cryptic error messages shown in 'Certificates change' dialog.

You may see either 'No certificate issuer found' then 'Signature: Uncheckable'.

It usually means that ssl library can not get CA root certificate from the store eg. because store is not readable. It happens that certificates upgrade package sets bad permissions on the store file or dir, so this is first check after seeing aforementioned errors. If the store is readable it MAY signal that you really got slapped with forged certificate or someone allowed intermediate cert to expire.


Below listed are current (2018) locations of system certificate stores:

SUSE: /var/lib/ca-certificates/ca-bundle.pem (file)

Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt

Historical known 'standardized' cert store locations:

/usr/share/ssl/certs/
/usr/share/ssl/
/usr/share/ssl/cert.pem (file)
/etc/ssl/certs/
/etc/ssl/certs/ca-bundle.crt (file)
/etc/ssl/certs/ca-certificates.crt (file)
/etc/pki/tls/certs/ca-bundle.crt (file)
/etc/pki/tls/certs/ca-bundle.trust.crt (file)
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/System/Library/OpenSSL/