smtp.gmail.com from bash gives "Error in certificate: Peer's certificate issuer is not recognized."

bash ssl gmail

I needed my script to email admin if there is a problem, and the company only uses Gmail. Following a few posts instructions I was able to set up mailx using a .mailrc file. there was first the error of nss-config-dir I solved that by copying some .db files from a firefox directory. to ./certs and aiming to it in mailrc. A mail was sent.

However, the error above came up. By some miracle, there was a Google certificate in the .db. It showed up with this command:

~]$ certutil -L -d certs

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

GeoTrust SSL CA                                              ,,
VeriSign Class 3 Secure Server CA - G3                       ,,
Microsoft Internet Authority                                 ,,
VeriSign Class 3 Extended Validation SSL CA                  ,,
Akamai Subordinate CA 3                                      ,,
MSIT Machine Auth CA 2                                       ,,
Google Internet Authority                                    ,,

Most likely, it can be ignored, because the mail worked anyway. Finally, after pulling some hair and many googles, I found out how to rid myself of the annoyance.

First, export the existing certificate to a ASSCII file:

~]$ certutil -L -n 'Google Internet Authority'  -d certs -a > google.cert.asc

Now re-import that file, and mark it as a trusted for SSL certificates, ala:

~]$ certutil -A -t "C,," -n 'Google Internet Authority'  -d certs -i google.cert.asc

After this, listing shows it trusted:

~]$ certutil -L -d certs

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
...
Google Internet Authority                                    C,,

And mailx sends out with no hitch.

~]$ /bin/mailx -A gmail -s "Whadda ya no" [email protected]
ho ho ho
EOT
~]$

I hope it is helpful to someone looking to be done with the error.

Also, I am curious about somethings.

How could I get this certificate, if it were not in the mozilla database by chance? Is there for instance, something like this?

    ~]$ certutil -A -t "C,," \
                 -n 'gmail.com'  \
                 -d certs \
                 -i 'http://google.com/cert/this...'

Solution 1:

Well it is not the one liner I wanted, but this is how to fetch and import a certificate from scratch:

# Create a certificate directory
~]$ mkdir certs

# Create a new database in the certs dir
~]$ certutil -N -d certs 

# Need now a chain certificate - May 18, 2015
~]$ wget https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer

# Need now a chain certificate part 2 - May 18, 2015
~]$ mv GeoTrust_Global_CA.cer certs/

# Fetch the certificate from Gmail, saving in the text file GMAILCERT
# Added the CA opion - May 18, 2015
~]$ echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT

# Import the new cert file into the new database in the new dir
~]$ certutil -A -n "Google Internet Authority" -t "C,," -d certs -i GMAILCERT 

# Double Check
~]$ certutil -L -d certs

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Google Internet Authority                                    C,,

Yaa! and thanks to the answer on this ticket

Solution 2:

This post needs to be updated again. I was having trouble with my mailx install on my CentOS 7 box. Mail would send but I was still receiving the "Error in certified: Peer's certificate issuer is not recognized." error.

I found the solution here, had to translate it though.

Here is a quick way to do it:

# Create a certificate directory
mkdir ~/.certs

# Create a new database in the certs dir (dont forget to enter your pass phrase!)
certutil -N -d ~/.certs 

# Create three files for the cert chain
touch ~/.certs/google ~/.certs/geotrust ~/.certs/equifax

# Copy the cert chain for smtp.google.com:465 over to my_certs file (don't forget the -showcerts option, CTRL + C to end this command)
openssl s_client -showcerts -connect smtp.gmail.com:465 > ~/.certs/my_certs

Now copy each certificate including the --BEGIN CERTIFICATE-- and --END CERTIFICATE-- and paste them into their respective files you created earlier (google, geotrust, equifax) and now save those files.

# Open your my_certs file you made earlier and copy the google cert (usually the first one)
nano ~/.certs/my_certs

# Open your google file, paste the google cert that you just copied, and save and close
nano ~/.certs/google

# Open your my_certs file you made earlier and copy the geotrust cert (usually the second one)
nano ~/.certs/my_certs

# Open your geotrust file, paste the geotrust cert that you just copied, and save and close
nano ~/.certs/geotrust

# Open your my_certs file you made earlier and copy the equifax cert (usually the third one)
nano ~/.certs/my_certs

# Open your equifax file, paste the equifax cert that you just copied, and save and close
nano ~/.certs/equifax

Now we have to import each of these certs into the db.

# Import the google cert into the db
certutil -A -n "Google Internet Authority" -t "TC,," -d ~/.certs -i ~/.certs/google

# Import the geotrust cert into the db
certutil -A -n "GeoTrust Global CA" -t "TC,," -d ~/.certs -i ~/.certs/geotrust

# Import the equifax cert into the db
certutil -A -n "Equifax Secure Certificate Authority" -t "TCP,," -d ~/.certs -i ~/.certs/equifax

# Double check to make sure everything imported correctly into the db
certutil -L -d ~/.certs

Example output:

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Google Internet Authority                                    CT,,
GeoTrust Global CA                                           CT,,
Equifax Secure Certificate Authority                         CT,,

Clean up time (optional)

# Remove all unnecessary files since the db has the certs :)
rm -rf ~/.certs/google ~/.certs/geotrust ~/.certs/equifax ~/.certs/my_certs

# Now run a test to make sure mailx is sending correctly now (don't forget to change [email protected] to the email address you'd like to send to)
echo "Your message" | mail -s "Message Subject" [email protected]

That should be it, you shouldn't receive the "Error in certified: Peer's certificate issuer is not recognized." error any more!

Notes:

You might have noticed that I changed the dir from /certs to ~/.certs. mailx runs as root so I just made these changes as root/. "~/" means HOME directory put it all together ~/.certs means /root/.certs/. I'm sure you knew that but hey just in case you never know who might be reading this!

Just in case you need this, here is the configuration options I added to the bottom of /etc/mail.rc

# /etc/mail.rc options added to the bottom
set smtp-use-starttls
set smtp-auth=login
set smtp=smtp://smtp.gmail.com:587
set from="[email protected](Web01 Server)"
set [email protected]
set smtp-auth-password=your.pass
set ssl-verify=ignore
set nss-config-dir=/root/.certs

Make sure to change your.from.user, your.smtp.user, and your.pass to their respective variables.

Related

For how long can a client be shutdown in AD?
GPO Enforced Precedence
How virbr0-nic is created?
How to prevent delays associated with IPv6 AAAA records?
Is there a way to calculate the percentage CPU utilization by reading /proc/stat at once?
Problems installing SSL certificate on nginx with intermediate key
Why issue a SSL certificate that expires in 2037?
How do I print the current hostname of a host in ansible
Is there any difference between "file" and "./file" paths?
service httpd restart / (98)Address already in use
What does "Unlocking" an AD account that is not locked do?
Using GIT variables in a declarative Jenkins pipeline