Adding new CA certificates in Ubuntu (Jaunty)

A quick tip. I couldn’t find this from a quick search when I really needed it.

The problem - command line programs like fetchmail use the system wide openssl CA certificates to verify the authenticity of the server certificates they are provided when they connect to an SSL server like POP3 or IMAP.

Sometimes, you will have providers like Dreamhost, who will get smart and ditch the atrocious certificate issuing set up we have right now, and give you a self-signed certificate to verify their servers.

So fetchmail will, for example, belch out this error message every time they connect to Dreamhost’s mail servers:

$ fetchmail -v --nosyslog
fetchmail: 6.3.9-rc2 querying homie.mail.dreamhost.com (protocol POP3) at Saturday 08 August 2009 02:12:28 AM IST: poll started
Trying to connect to 208.97.132.208/995...connected.
fetchmail: Issuer Organization: New Dream Network, LLC
fetchmail: Issuer CommonName: New Dream Network Certificate Authority
fetchmail: Server CommonName: *.mail.dreamhost.com
fetchmail: homie.mail.dreamhost.com key fingerprint: 17:F7:F2:FF:4A:9D:C3:D3:2B:8A:E9:12:47:C4:A4:28
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

While you can mostly ignore this (Dreamhost itself says they don’t care much about the “chain of trust” - all they care about is the encryption), you might want to be a little more careful and use the “sslcertck” keyword while connecting to your mail servers. This keyword will force fetchmail to only attempt fetching the mail if the issuer of the server certificate strictly matches a CA in your local CA certificates.

Note that this strict certificate check is going to be the default setting in fetchmail any day now. So you might want to pay more attention to these fetchmail warnings right now before they bite you later.

Dreamhost provides the CA certificate which issues their server SSL certificates here.

Installing this in Ubuntu was pretty simple once you know the program involved. So while this example is about Dreamhost, you can similarly install any CA certificates (even your own).

Note: While the steps below work, they are not the recommended way to add CA certificates in Ubuntu. Please see the update at the bottom of the post for the recommended steps.

Steps are:

  1. Create a directory for the issuer under /usr/share/ca-certificates/.

    mkdir /usr/share/ca-certificates/dreamhost

  2. Copy the CA certificate file into this directory. Use this directory to consolidate all the CA certificates of the common entity.

    sudo cp ~/ndn.ca.crt /usr/share/ca-certificates/dreamhost

  3. Update the CA certificate hash symlinks used by openssl. This will open a text dialog asking you to confirm the CA certificates to be marked as trusted. Out of the box, a typical modern Linux distro would have a long list of certificates which would already be marked as trusted. You have to search for the authority you just copied (it would be unmarked), mark it and select OK.

    sudo dpkg-reconfigure ca-certificates

That is it! Next time your run fetchmail, the CA warnings should have gone.

Note that GUI programs like Firefox and Thunderbird have their own CA storages and therefore their own process of adding CA certificates. Modern versions of these programs make it pretty easy to add them using a just a few clicks. This post was about installing them for mostly CLI based programs like fetchmail.

Another note, it seems that on Ubuntu, Postfix needs the config parameters smtp_tls_CApath and smtpd_tls_CApath to be set to /etc/ssl/certs to verify server and client certificates respectively.


UPDATE: Thanks to the commenter below, I would like to present the right way to add CA certificates in your system. These steps are taken from /usr/share/doc/ca-certificates/README.Debian.

  1. Put CA certificates in /usr/local/share/ca-certificates/, and NOT the system directory /usr/share/ca-certificates/.
  2. Instead of running dpkg-reconfigure like I mentioned earlier which is unnecessary, run update-ca-certificates to update the compiled list of CA certificates.
 
comments powered by Disqus