来自 bash 的 smtp.gmail.com 给出“证书错误：无法识别对等方的证书颁发者。”

Question

如果出现问题，我需要我的脚本给管理员发送电子邮件，而该公司只使用 Gmail。按照一些帖子说明，我能够使用 .mailrc 文件设置 mailx。首先是 nss-config-dir 的错误，我通过从 firefox 目录复制一些 .db 文件解决了这个问题。到 ./certs 并在 mailrc 中瞄准它。发了一封邮件。

但是，出现了上面的错误。奇迹般地，.db 中有一个 Google 证书。它出现了这个命令：

~]$ certutil -L -d certs

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

GeoTrust SSL CA                                              ,,
VeriSign Class 3 Secure Server CA - G3                       ,,
Microsoft Internet Authority                                 ,,
VeriSign Class 3 Extended Validation SSL CA                  ,,
Akamai Subordinate CA 3                                      ,,
MSIT Machine Auth CA 2                                       ,,
Google Internet Authority                                    ,,

最有可能的是，它可以被忽略，因为邮件无论如何都可以工作。最后，在拉了一些头发和许多谷歌之后，我找到了如何摆脱烦恼。

首先，将现有证书导出到 ASSCII 文件：

~]$ certutil -L -n 'Google Internet Authority'  -d certs -a > google.cert.asc

现在重新导入该文件，并将其标记为受信任的 SSL 证书，ala：

~]$ certutil -A -t "C,," -n 'Google Internet Authority'  -d certs -i google.cert.asc

在此之后，列表显示它受信任：

~]$ certutil -L -d certs

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
...
Google Internet Authority                                    C,,

mailx 顺利发送出去。

~]$ /bin/mailx -A gmail -s "Whadda ya no" somebody@acompany.com
ho ho ho
EOT
~]$

我希望它对希望解决错误的人有所帮助。

另外，我对一些事情很好奇。

如果偶然不在 mozilla 数据库中，我如何获得此证书？例如，有没有这样的事情？

    ~]$ certutil -A -t "C,," \
                 -n 'gmail.com'  \
                 -d certs \
                 -i 'http://google.com/cert/this...'

Answer 1

好吧，这不是我想要的一个班轮，但这是从头开始获取和导入证书的方法：

# Create a certificate directory
~]$ mkdir certs

# Create a new database in the certs dir
~]$ certutil -N -d certs 

# Need now a chain certificate - May 18, 2015
~]$ wget https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.cer

# Need now a chain certificate part 2 - May 18, 2015
~]$ mv GeoTrust_Global_CA.cer certs/

# Fetch the certificate from Gmail, saving in the text file GMAILCERT
# Added the CA opion - May 18, 2015
~]$ echo -n | openssl s_client -connect smtp.gmail.com:465 -CAfile certs/GeoTrust_Global_CA.cer | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > GMAILCERT

# Import the new cert file into the new database in the new dir
~]$ certutil -A -n "Google Internet Authority" -t "C,," -d certs -i GMAILCERT 

# Double Check
~]$ certutil -L -d certs

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Google Internet Authority                                    C,,  

呀！并感谢这张票上的答案

Answer 2

这个帖子需要再次更新。我在 CentOS 7 机器上安装 mailx 时遇到问题。邮件会发送，但我仍然收到“认证错误：无法识别对等方的证书颁发者”。错误。

我在这里找到了解决方案，但不得不翻译它。

这是一个快速的方法：

# Create a certificate directory
mkdir ~/.certs

# Create a new database in the certs dir (dont forget to enter your pass phrase!)
certutil -N -d ~/.certs 

# Create three files for the cert chain
touch ~/.certs/google ~/.certs/geotrust ~/.certs/equifax

# Copy the cert chain for smtp.google.com:465 over to my_certs file (don't forget the -showcerts option, CTRL + C to end this command)
openssl s_client -showcerts -connect smtp.gmail.com:465 > ~/.certs/my_certs

现在复制每个证书，包括 --BEGIN CERTIFICATE-- 和 --END CERTIFICATE-- 并将它们粘贴到您之前创建的各自文件（google、geotrust、equifax）中，然后保存这些文件。

# Open your my_certs file you made earlier and copy the google cert (usually the first one)
nano ~/.certs/my_certs

# Open your google file, paste the google cert that you just copied, and save and close
nano ~/.certs/google

# Open your my_certs file you made earlier and copy the geotrust cert (usually the second one)
nano ~/.certs/my_certs

# Open your geotrust file, paste the geotrust cert that you just copied, and save and close
nano ~/.certs/geotrust

# Open your my_certs file you made earlier and copy the equifax cert (usually the third one)
nano ~/.certs/my_certs

# Open your equifax file, paste the equifax cert that you just copied, and save and close
nano ~/.certs/equifax

现在我们必须将这些证书中的每一个导入到数据库中。

# Import the google cert into the db
certutil -A -n "Google Internet Authority" -t "TC,," -d ~/.certs -i ~/.certs/google

# Import the geotrust cert into the db
certutil -A -n "GeoTrust Global CA" -t "TC,," -d ~/.certs -i ~/.certs/geotrust

# Import the equifax cert into the db
certutil -A -n "Equifax Secure Certificate Authority" -t "TCP,," -d ~/.certs -i ~/.certs/equifax

# Double check to make sure everything imported correctly into the db
certutil -L -d ~/.certs

示例输出：

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Google Internet Authority                                    CT,,
GeoTrust Global CA                                           CT,,
Equifax Secure Certificate Authority                         CT,,

清理时间（可选）

# Remove all unnecessary files since the db has the certs :)
rm -rf ~/.certs/google ~/.certs/geotrust ~/.certs/equifax ~/.certs/my_certs

# Now run a test to make sure mailx is sending correctly now (don't forget to change yourname@example.com to the email address you'd like to send to)
echo "Your message" | mail -s "Message Subject" yourname@example.com

应该是这样，您不应该收到“认证错误：无法识别对等方的证书颁发者”。错误了！

笔记：

您可能已经注意到我将 dir 从 更改/certs为~/.certs. mailx 以 root 身份运行，所以我只是以 root/ 身份进行了这些更改。"~/" 表示 HOME 目录 把它们放在一起的~/.certs意思是/root/.certs/. 我相信你知道这一点，但嘿，以防万一你永远不知道谁可能会读这个！

以防万一你需要这个，这是我添加到底部的配置选项 /etc/mail.rc

# /etc/mail.rc options added to the bottom
set smtp-use-starttls
set smtp-auth=login
set smtp=smtp://smtp.gmail.com:587
set from="your.from.user@gmail.com(Web01 Server)"
set smtp-auth-user=your.smtp.user@gmail.com
set smtp-auth-password=your.pass
set ssl-verify=ignore
set nss-config-dir=/root/.certs

确保将 your.from.user、your.smtp.user 和 your.pass 更改为它们各自的变量。