Difference between revisions of "SSL/TLS certificate verification errors"

From Claws Mail FAQ
Jump to: navigation, search
('No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.)
m
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
<b>TL;DR</b> 'No certificate issuer found' during verification likely is caused by unreadable or misconfigured system certificate store.
+
The warning 'No certificate issuer found' during verification is likely to be caused by an unreadable or misconfigured system certificate location.
  
 +
Claws Mail uses the gnutls library to deal with encryption.
  
Claws Mail uses gnutls or openssl libraries to deal with encryption (via libetpan dependency).
+
Upon connection the certificate from the server is always checked for validity. It entails
 +
checking the whole chain of certificates from the CA root certificate, any intermediate
 +
certificates, to the certificate presented by the mail server. For that chained verification to
 +
succeed the gnutls library must read the root certificate from the local system (file or directory).
  
Upon connection certificate from the server is always checked for validity. It entails
+
The location of the certificates varies from one distro to the other
checking whole chain of certificates from CA root certificate, through any intermediate
+
and if the root CA certificate is unreadable by a user process (i.e. claws-mail) then verification fails with
certificate to the one presented by the mail server. For that chained verification to
+
cryptic error messages shown in 'Certificates change' dialogue.
succeed ssl libraries must read root certificate from a local system store (file or dir).
 
  
Location of this certificates store varies significantly from one distro to the other
+
You may see 'No certificate issuer found' then 'Signature: Uncheckable'.
and if root CA certificate is unreadable by an user process (i.e. claws-mail) then verification fails with
 
cryptic error messages shown in 'Certificates change' dialog.
 
  
You may see either 'No certificate issuer found' then 'Signature: Uncheckable'.
+
It usually means that gnutls library cannot read the CA root certificate,
 +
because, e.g., it is not readable. It can happen that upgrade of a certificates package sets wrong
 +
permissions on the file or directory, so that is the first thing to check after seeing such
 +
errors. If the file/directory is readable it may be that that one of the intermediate certificates has expired,
 +
or that that you really have received a forged certificate.
  
It usually means that ssl library can not get CA root certificate from the store eg.
+
Listed below are the current (2018) locations of system certificates:
because store is not readable. It happens that certificates upgrade package sets bad
 
permissions on the store file or dir, so this is first check after seeing aforementioned
 
errors. If the store is readable it MAY signal that you really got slapped with forged
 
certificate or someone allowed intermediate cert to expire.
 
 
 
 
 
 
 
Below listed are current (2018) locations of system certificate stores:
 
  
 
<pre>
 
<pre>
 +
Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt
 
SUSE: /var/lib/ca-certificates/ca-bundle.pem (file)
 
SUSE: /var/lib/ca-certificates/ca-bundle.pem (file)
 
Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt
 
 
</pre>
 
</pre>
  
Historical known 'standardized' cert store locations:
+
Historical known 'standardized' certificate locations:
 
<pre>
 
<pre>
 
/usr/share/ssl/certs/
 
/usr/share/ssl/certs/

Latest revision as of 17:13, 29 March 2018

The warning 'No certificate issuer found' during verification is likely to be caused by an unreadable or misconfigured system certificate location.

Claws Mail uses the gnutls library to deal with encryption.

Upon connection the certificate from the server is always checked for validity. It entails checking the whole chain of certificates from the CA root certificate, any intermediate certificates, to the certificate presented by the mail server. For that chained verification to succeed the gnutls library must read the root certificate from the local system (file or directory).

The location of the certificates varies from one distro to the other and if the root CA certificate is unreadable by a user process (i.e. claws-mail) then verification fails with cryptic error messages shown in 'Certificates change' dialogue.

You may see 'No certificate issuer found' then 'Signature: Uncheckable'.

It usually means that gnutls library cannot read the CA root certificate, because, e.g., it is not readable. It can happen that upgrade of a certificates package sets wrong permissions on the file or directory, so that is the first thing to check after seeing such errors. If the file/directory is readable it may be that that one of the intermediate certificates has expired, or that that you really have received a forged certificate.

Listed below are the current (2018) locations of system certificates:

Debian: /etc/ssl/certs/ and /etc/ssl/certs/ca-certificates.crt
SUSE: /var/lib/ca-certificates/ca-bundle.pem (file)

Historical known 'standardized' certificate locations:

/usr/share/ssl/certs/
/usr/share/ssl/
/usr/share/ssl/cert.pem (file)
/etc/ssl/certs/
/etc/ssl/certs/ca-bundle.crt (file)
/etc/ssl/certs/ca-certificates.crt (file)
/etc/pki/tls/certs/ca-bundle.crt (file)
/etc/pki/tls/certs/ca-bundle.trust.crt (file)
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
/System/Library/OpenSSL/