Auteur: Juergen Edner Date: À: exim-users Sujet: Re: [exim] Ignoring SSL-Errors on self signed certificates
Hello Luca,
> All works as expected, but the Servers have just self signed
> certificates and when the second Server sends an E-Mail I always get
> this warning:
>
> SSL verify error: depth=0 error=self signed certificate
> cert=/C=DE/ST=Sachsen/L=Dresden/O=Luca
> Bertoncello/CN=*.lucabert.de/emailAddress=webmaster@???
>
> This is normal, of course, but I'd like to suppress this warning, in
> order to have a cleaner log.
why is it normal to get a SSL verification error when using
a self signed certificate?
A self-signed certificate is not that different from official
certificates. You have to make sure that the certificate chain
of the self-signed certificate can be verified.
This can easily been done by copying the CA root certificate,
which you have used to sign your server certificate, to the
same directory on your server where OpenSSL searches it and
where all your certificates resist in .pem format.
(usually the certs directory unter the ssl_path in openssl.cnf)
Next you have to make sure that the certificate hashes are
created in the same directory by running the OpenSSL c_rehash
script.
This should allow OpenSSL to check the certificate chain
by generating the hash over the certificate issuer line and
finding the appropriate root certificate by following the
symbolic hash link created before.