Monday, July 11, 2011

Certificate fingerprints

If you have self signed certs, you may run across some programs that require you to include the fingerprint of the remote server cert somewhere in your config.
An example application is mercurial (as shown below):
$ hg clone
abort: error: _ssl.c:497: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The fix is easy:
Get the server certificate fingerprint (sha1 fingerprint of certificate)

$ echo quit |openssl s_client  2>/dev/null|awk '/---BEG/,/--END/' |openssl x509 -fingerprint -noout
SHA1 Fingerprint=69:C7:E4:E7:10:F8:8F:19:F9:5D:92:F3:8D:EC:CF:4F:7B:3E:04:0A

Then edit your ~/.hgrc
 [hostfingerprints] = 69:C7:E4:E7:10:F8:8F:19:F9:5D:92:F3:8D:EC:CF:4F:7B:3E:04:0A                                            
That should fix things up.

Same thing can be done for fetchmail:

$ echo quit |openssl s_client -connect -starttls imap 2>/dev/null|awk '/---BEG/,/--END/' |openssl x509 -md5 -fingerprint -noout
MD5 Fingerprint=AA:87:67:1A:21:16:50:57:3F:6C:D0:C8:E8:02:19:7C

then fixing your ~/.fetchmailrc
poll protocol imap
        user "user1" password "somepass123"       
        sslfingerprint  "AA:87:67:1A:21:16:50:57:3F:6C:D0:C8:E8:02:19:7C"                                                    
        mda "/usr/bin/procmail -d %T "

No comments:

Post a Comment