Difference between revisions of "SSL/TLS certificate verification errors"

From Claws Mail FAQ
Jump to: navigation, search
(Created blank page)
 
('No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.)
Line 1: Line 1:
 +
<b>TL;DR</b> 'No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.
  
 +
 +
Claws Mail uses gnutls or openssl libraries to deal with encryption (via libetpan dependency).
 +
 +
Upon connection certificate from the server is always checked for validity. It entails
 +
checking whole chain of certificates from CA root certificate, through any intermediate
 +
certificate to the one presented by the mail server. For that chained verification to
 +
succeed ssl libraries must read root certificate from a local system store (file or dir).
 +
 +
Location of this certificates store varies significantly from one distro to the other
 +
and if root CA certificate is unreadable by an user process (i.e. claws-mail) then verification fails with
 +
cryptic error messages shown in 'Certificates change' dialog.
 +
 +
You may see either 'No certificate issuer found' then 'Signature: Uncheckable'.
 +
 +
It usually means that ssl library can not get CA root certificate from the store eg.
 +
because store is not readable. It happens that certificates upgrade package sets bad
 +
permissions on the store file or dir, so this is first check after seeing aforementioned
 +
errors. If the store is readable it MAY signal that you really got slapped with forged
 +
certificate or someone allowed intermediate cert to expire.
 +
 +
 +
 +
Below listed are current (2018) locations of system certificate stores:
 +
 +
<pre>
 +
SUSE: /var/lib/ca-certificates/ca-bundle.pem (file)
 +
 +
Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt
 +
</pre>
 +
 +
Historical known 'standardized' cert store locations:
 +
<pre>
 +
/usr/share/ssl/certs/
 +
/usr/share/ssl/
 +
/usr/share/ssl/cert.pem (file)
 +
/etc/ssl/certs/
 +
/etc/ssl/certs/ca-bundle.crt (file)
 +
/etc/ssl/certs/ca-certificates.crt (file)
 +
/etc/pki/tls/certs/ca-bundle.crt (file)
 +
/etc/pki/tls/certs/ca-bundle.trust.crt (file)
 +
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 +
/System/Library/OpenSSL/
 +
</pre>

Revision as of 14:56, 29 March 2018

TL;DR 'No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.


Claws Mail uses gnutls or openssl libraries to deal with encryption (via libetpan dependency).

Upon connection certificate from the server is always checked for validity. It entails checking whole chain of certificates from CA root certificate, through any intermediate certificate to the one presented by the mail server. For that chained verification to succeed ssl libraries must read root certificate from a local system store (file or dir).

Location of this certificates store varies significantly from one distro to the other and if root CA certificate is unreadable by an user process (i.e. claws-mail) then verification fails with cryptic error messages shown in 'Certificates change' dialog.

You may see either 'No certificate issuer found' then 'Signature: Uncheckable'.

It usually means that ssl library can not get CA root certificate from the store eg. because store is not readable. It happens that certificates upgrade package sets bad permissions on the store file or dir, so this is first check after seeing aforementioned errors. If the store is readable it MAY signal that you really got slapped with forged certificate or someone allowed intermediate cert to expire.


Below listed are current (2018) locations of system certificate stores:

SUSE: /var/lib/ca-certificates/ca-bundle.pem (file)

Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt

Historical known 'standardized' cert store locations:

/usr/share/ssl/certs/
/usr/share/ssl/
/usr/share/ssl/cert.pem (file)
/etc/ssl/certs/
/etc/ssl/certs/ca-bundle.crt (file)
/etc/ssl/certs/ca-certificates.crt (file)
/etc/pki/tls/certs/ca-bundle.crt (file)
/etc/pki/tls/certs/ca-bundle.trust.crt (file)
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/System/Library/OpenSSL/