Luckily, OSX to the rescue. I've started using OS X as my primary desktop platform for 100% of my duties. This includes email so I need my mail client of preference: pine. For the last bunch of years I've just been using Fedora which has had alpine (and Dag had pine for RHEL in the pre-alpine days.. thanks Dag!). Even when I was using a Mac in the past, I'd ssh over to the Linux box to use pine because it was easier. Now, I'm not ditching Linux, but I am trying some different workflows and working methods out as part of my new job.
So I installed pine with MacPorts, which also installed a MacPorts version of OpenSSL, which also does not come with a default ca-bundle.crt. This causes alpine (and/or most SSL apps in MacPorts) to complain LOUDLY about not being able to validate the cert as trusted. Worse, is that after poking at pine with dtrace it was using what I think is a very linuxy version of the ca-bundle.crt (eg: /opt/local/etc/openssl/cert.pem instead.. ha!).
So to fix (after a few hours of poking around... this stuff is not well documented) do something akin to the following:
- Grab the mk-ca-bundle.pl script from the fine folks at cURL.
- This script is perl, and needs LWP. I'm assuming you're using MacPorts, so
sudo port install p5-libwww-perl - Run mk-ca-bundle.pl
- sudo -s
- cd /opt/local/etc/openssl
- mkdir certs
- cp /path/to/generated/ca-bundle.crt certs/ca-bundle.pem
- ln -s certs/ca-bundle.pem cert.pem
- cd certs
- c_rehash .
- ln -s ca-bundle.pem ca-bundle.crt
You'll also note that I rename the bundle with a .pem extension and then may a symlink for the .crt pointing at them .pem. I do this mainly because I'm kind of anal.. the ca-bundle.crt that is generated by mk-ca-bundle.pl is full of PEM formatted CA certs, as openssl expects. So I like to be extra descriptive about what exactly the file is, but lots of stuff seems to maybe expect a ca-bundle.crt as well.
Sigh. Security needs be easier than this.
Posts
No comments:
Post a Comment