"TLS certificate verification failed" when trying to set up msmtp after updating to Nabia

2 respostas [Última entrada]
Staircase
Desconectado
Joined: 02/24/2022

Hello,

I am trying to set up msmtp with Neomutt but certificate verification failed.

user@laptop:~$ msmtp -S
msmtp: TLS certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown

I understand that the issue is not related to msmtp or Trisquel.

Like suggested here by Magic Banana and here by jxself, I substituted every "https" in /etc/apt/sources.list for "http" and then try to upgrade by running:

$ sudo sed -i s/https/http/ /etc/apt/sources.list

$ sudo apt update

$ sudo apt upgrade

$ sudo do-release-upgrade

And then reversed the substitution of every "http" for "https" in /etc/apt/sources.list

Now "$ lsb_release -a" prints out:


No LSB modules are available.
Distributor ID: Trisquel
Description: Trisquel GNU/Linux Nabia (10.0)
Release: 10.0
Codename: nabia

"$ apt list -a ca-certificates" prints out:


Listing... Done
ca-certificates/nabia,nabia,nabia-security,nabia-security,now 20210119~20.04.2+10.0trisquel1 all [installed]
ca-certificates/nabia-security,nabia-security 20201027ubuntu0.20.04.1+10.0trisquel1 all
ca-certificates/nabia-updates,nabia-updates 20201027ubuntu0.20.04.1 all

but I still get a certificate failure when I try to set up msmtp.

What can I try to fix this issue?

Let me know if you need additional information from my end.

Thank you.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Your issue does not deal with the certificate of Trisquel's server but with that of the SMTP server. You need to read https://marlam.de/msmtp/documentation/ to understand how to make msmtp trust the certificate of your SMTP server.

Staircase
Desconectado
Joined: 02/24/2022

Thank you Magic Banana.

I substituted tls_trust_file for tls_fingerprint as suggested on p.24:

# As an alternative to tls_trust_file, you can use tls_fingerprint
# to pin a single certificate. You have to update the fingerprint when the
# server certificate changes, but an attacker cannot trick you into accepting
# a fraudulent certificate. Get the fingerprint with
# $ msmtp --serverinfo --tls --tls-certcheck=off --host=smtp.freemail.example
#tls_fingerprint 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF:00:11:22:33

By the way, while I am here, I would like to say "thank you". I have started using Trisquel a few months ago, and the discussions and answers on this forum have been very helpful in helping me transition from MacOS to Trisquel GNU/Linux and find my around the system.