Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

certificate verification failed for Gmail

1,590 views
Skip to first unread message

Steven Woody

unread,
Jan 13, 2006, 10:13:10 AM1/13/06
to

i've configured postfix ( acording to the tutorial at
http://freshmeat.net/articles/view/1673/ ) to work with gmail SASL smtp
server. but these days, i found something suspicious in my maillog as listed
below, ( thought the mail can still be sent out )

Jan 9 22:39:38 narke postfix/smtp[2573]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
Jan 9 22:39:38 narke postfix/smtp[2573]: certificate verification failed for smtp.gmail.com: num=27:certificate not trusted
Jan 9 22:39:38 narke postfix/smtp[2573]: certificate verification failed for smtp.gmail.com: num=21:unable to verify the first certificate
Jan 9 22:39:38 narke postfix/smtp[2573]: Server certificate could not be verified

and, here is some relative stuff in my mail.cf,

## TLS Settings
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

## SASL Settings
# This is going into THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd

can anyone please help me to point out what's wroing going here ? thanks.


--
steven woody (id: narke)

Celine: Well, who says relationships have to last forever?

- Before Sunrise (1995)

Victor Duchovni

unread,
Jan 13, 2006, 11:46:57 AM1/13/06
to
On Fri, Jan 13, 2006 at 11:13:10PM +0800, Steven Woody wrote:

>
> i've configured postfix ( acording to the tutorial at
> http://freshmeat.net/articles/view/1673/ ) to work with gmail SASL smtp
> server. but these days, i found something suspicious in my maillog as listed
> below, ( thought the mail can still be sent out )
>
> Jan 9 22:39:38 narke postfix/smtp[2573]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate

> smtp_tls_CAfile = /etc/postfix/cacert.pem


>
> can anyone please help me to point out what's wroing going here ? thanks.

The cacert.pem file does not contain the root CA certificate that signed
gmail's server certificate.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Victor Duchovni

unread,
Jan 13, 2006, 1:51:21 PM1/13/06
to
On Fri, Jan 13, 2006 at 11:46:57AM -0500, Victor Duchovni wrote:

> On Fri, Jan 13, 2006 at 11:13:10PM +0800, Steven Woody wrote:
>
> >
> > i've configured postfix ( acording to the tutorial at
> > http://freshmeat.net/articles/view/1673/ ) to work with gmail SASL smtp
> > server. but these days, i found something suspicious in my maillog as listed
> > below, ( thought the mail can still be sent out )
> >
> > Jan 9 22:39:38 narke postfix/smtp[2573]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
>
> > smtp_tls_CAfile = /etc/postfix/cacert.pem
> >
> > can anyone please help me to point out what's wroing going here ? thanks.
>
> The cacert.pem file does not contain the root CA certificate that signed
> gmail's server certificate.
>

Specifically:

Version: 3 (0x2)
Serial Number: 4185806 (0x3fdece)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
OU=Certification Services Division,
CN=Thawte Premium Server CA/emailAddress=premium...@thawte.com
Validity
Not Before: Sep 5 08:59:02 2005 GMT
Not After : Sep 5 08:59:02 2006 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc,
CN=smtp.gmail.com
...

So you need the Thawte Premium Server root CA certificate.

https://www.verisign.com/support/roots.html

Steven Woody

unread,
Jan 13, 2006, 7:34:58 PM1/13/06
to
Victor Duchovni <Victor....@MorganStanley.com> writes:

> On Fri, Jan 13, 2006 at 11:46:57AM -0500, Victor Duchovni wrote:
>
>> On Fri, Jan 13, 2006 at 11:13:10PM +0800, Steven Woody wrote:
>>
>> >

>> > i've configured postfix ( acording to the tutorial at
>> > http://freshmeat.net/articles/view/1673/ ) to work with gmail SASL smtp
>> > server. but these days, i found something suspicious in my maillog as listed
>> > below, ( thought the mail can still be sent out )
>> >
>> > Jan 9 22:39:38 narke postfix/smtp[2573]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
>>

>> > smtp_tls_CAfile = /etc/postfix/cacert.pem


>> >
>> > can anyone please help me to point out what's wroing going here ? thanks.
>>

>> The cacert.pem file does not contain the root CA certificate that signed
>> gmail's server certificate.
>>
>
> Specifically:
>
> Version: 3 (0x2)
> Serial Number: 4185806 (0x3fdece)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc,
> OU=Certification Services Division,
> CN=Thawte Premium Server CA/emailAddress=premium...@thawte.com
> Validity
> Not Before: Sep 5 08:59:02 2005 GMT
> Not After : Sep 5 08:59:02 2006 GMT
> Subject: C=US, ST=California, L=Mountain View, O=Google Inc,
> CN=smtp.gmail.com
> ...
>
> So you need the Thawte Premium Server root CA certificate.
>
> https://www.verisign.com/support/roots.html

the page you mentioned is no longer exists. whould you tell me what i need to
do for getting the root CA ? is that free? thanks.

-
woody

Noel Jones

unread,
Jan 13, 2006, 11:44:26 PM1/13/06
to
At 06:34 PM 1/13/2006, Steven Woody wrote:

>Victor Duchovni <Victor....@MorganStanley.com> writes:
> >
> > Version: 3 (0x2)
> > Serial Number: 4185806 (0x3fdece)
> > Signature Algorithm: md5WithRSAEncryption
> > Issuer: C=ZA, ST=Western Cape, L=Cape Town,
> O=Thawte Consulting cc,
> > OU=Certification Services Division,
> > CN=Thawte Premium Server
> CA/emailAddress=premium...@thawte.com
> > Validity
> > Not Before: Sep 5 08:59:02 2005 GMT
> > Not After : Sep 5 08:59:02 2006 GMT
> > Subject: C=US, ST=California, L=Mountain View,
> O=Google Inc,
> > CN=smtp.gmail.com
> > ...
> >
> > So you need the Thawte Premium Server root CA certificate.
> >
> > https://www.verisign.com/support/roots.html
>
>the page you mentioned is no longer exists. whould you
>tell me what i need to
>do for getting the root CA ? is that free? thanks.


It's free when you can find it. this looks promising...
http://www.thawte.com/roots/
or this page has links like "download root certificate"
http://www.verisign.com/repository/index.html

Or your OS may provide a CA root certificates package; for
example FreeBSD has a "ca-roots" ports package.

--
Noel Jones

Steven Woody

unread,
Jan 14, 2006, 1:09:37 AM1/14/06
to
Noel Jones <njo...@megan.vbhcs.org> writes:

thanks, i've got the roots.zip from the download page. but, for i have no
experience in the field. would you please tell me how to use it?

Victor Duchovni

unread,
Jan 14, 2006, 11:21:37 AM1/14/06
to
On Sat, Jan 14, 2006 at 02:09:37PM +0800, Steven Woody wrote:

> thanks, i've got the roots.zip from the download page. but, for i have no
> experience in the field. would you please tell me how to use it?
>

$ unzip -j roots.zip
$ openssl x509 -inform der -in ThawtePremiumServerCA.cer -out
ThawtePremiumServerCA.pem

Then append "ThawtePremiumServerCA.pem" to your CA certificate file. If
you use a CApath instead, just copy ThawtePremiumServerCA.pem there,
and run "c_rehash /your/capath/directory" (not literal).

Steven Woody

unread,
Jan 14, 2006, 12:12:46 PM1/14/06
to
Victor Duchovni <Victor....@MorganStanley.com> writes:

> On Sat, Jan 14, 2006 at 02:09:37PM +0800, Steven Woody wrote:
>
>> thanks, i've got the roots.zip from the download page. but, for i have no
>> experience in the field. would you please tell me how to use it?
>>
>
> $ unzip -j roots.zip
> $ openssl x509 -inform der -in ThawtePremiumServerCA.cer -out
> ThawtePremiumServerCA.pem
>

i did exactly so, and got an error:

bad input format specified for Certificate
unable to load certificate.

what's wrong here ?

--
steven woody (id: narke)

Pepper...is hot and scorches, just like the sun

- Politiki kouzina (2003)

Victor Duchovni

unread,
Jan 14, 2006, 12:30:54 PM1/14/06
to
On Sun, Jan 15, 2006 at 01:12:46AM +0800, Steven Woody wrote:

> Victor Duchovni <Victor....@MorganStanley.com> writes:
>
> > On Sat, Jan 14, 2006 at 02:09:37PM +0800, Steven Woody wrote:
> >
> >> thanks, i've got the roots.zip from the download page. but, for i have no
> >> experience in the field. would you please tell me how to use it?
> >>
> >
> > $ unzip -j roots.zip
> > $ openssl x509 -inform der -in ThawtePremiumServerCA.cer -out
> > ThawtePremiumServerCA.pem
> >
>
> i did exactly so, and got an error:
>
> bad input format specified for Certificate
> unable to load certificate.
>

The x509 command should be entirely on one line. Please don't report errors
out of context. What command failed to load the certificate (cut/paste
with no changes)? What are the files extracted by the "unzip -j" command?
Is the ThawtePremiumServerCA.cer file among them? Is unzip mangling the
files (dos -> unix CRLF conversion)?

0 new messages