最近想用mutt体验一下作高手的感觉,发现高手这个虚名真是害人不浅。
引用大家常说的一句话。mutt是一个整合工具,本身的作用并不大。收发都依赖别的程序完成。其实mutt也有一点收发的功能。用mutt -v 看一看有哪些带+号。这些带+号的就说明是有的功能,那些没有的功能就继续怨念吧。 姑且就认为自己的mutt不带收发功能吧。然后我们收发邮件可以分别利用如下一些程序来完成。发送:ssmtp
收取:fetchmail
# 这一句可以起到全局配置的作用,但是对is xxx here这类的不能起作用。
# 多说一点,procmail是一个分发邮件的程序。fetchmail之后邮件可以被发到这个
# MDA(Mail Delivery Agent)上,然后由这个mda去发到对应的地方。(其实就
# 是存到不同的地方,比如可以写一些通配的规则来把相应的收到的邮件归到不同的
# mailbox 文件里去),这个procmail 对于有多个邮箱的人来说,特别有用。
# 注意一下,这里用的是双引用。根据man muttrc的说法,*nix环境中,貌似双引号
# 里面的内容可以被eval一次,而单引号里面的内容就是纯文本了,不会被eval。
defaults mda "/usr/bin/procmail -f %F -d %T"
# 虽然不懂什么意思,看别人写了,咱也写上。
set no bouncemail
# 这里貌似没有什么结束符的概念,每一项之间打些空格就可以了
# IMAP 这个可以小写的。貌似关键字都是大小写不敏感的。
# IMAP 默认是143端口,所以对于那些不按套路来的邮箱,一
# 定要写好他们自己的端口号。
poll 'imap.gmail.com' protocol IMAP port 993
username '[email protected]'
password 'yourpassword'
is king.god here keep ssl
# 对于有多个邮箱的,可以像上面那样再写一份,换成新的邮件服务器的配置就行了。
poll 'pop.mail.yahoo.com' protocol POP3 port 995
username '[email protected]'
password 'yourpassword'
is king.god here keep ssl
好了,这样可以收了,但是有个问题。根据网上流传的说法。收到的邮件默认会被放到/var/spool/mail/$USR这个文件里去。注意看了这个是一个文件!!!不是文件夹!!!这里的$USER是指当前登录的用户名。其实这个文件就是个纯文本,是邮件的原始信息,不是二进制的。用vi/vim打开可以看到内容的。这样所有收到的邮件都会被放到这个文件里面,那么用mutt看的时候,就会所有邮件全挤在一个信箱下面。(mutt里面的信箱就是指的这种包含很多原始邮件内容的纯文本文件。) 看邮件的时候会很不方便,所以我们需要procmail 这个东西来当 MDA(Mail Delivery Agent),由它来把不同的邮箱地址收到的邮件归到不同的地方去。
procmail的配置文件
# 文件路径一般都在 ~/.procmailrc # 这个应该是一个环境变量,不管他了,反正指定好了之后, # 那些信箱文件都在在这个MAILDIR下面。 MAILDIR=$HOME/Mail/ # 这个 :0 好像是能匹配到邮件头部 :0 # 这个正则,写得不好,反正意思到了。 * ^To:(\s*[email protected])|((.*)\<[email protected]\>)|((.*)\"[email protected]\") # 邮件头部符合上面那条正则的邮件都会被放到以下面这个字 # 符串内容为文件名的信箱文件里去 "[email protected]" # 有多个邮箱的可以继续匹配。反正写到自己高兴为止。 :0 * ^To:(\s*[email protected])|((.*)\<[email protected]\>)|((.*)\"[email protected]\") "[email protected]"
已经搞定了,现在用fetchmail -avk试试,应该能看到一大堆的刷屏信息了。暂时还不知道怎么只取下来新的,只会一次全拿下来。
=================================================================
2013-8-29: 解决证书问题
=================================================================
用fetchmail的时候通常会发现一个很讨厌的关于证书的调试信息
写道
fetchmail: 服务器证书验证错误: unable to get local issuer certificate
要解决这个问题,需要把这个域名牵涉到的证书装到cygwin里面。
针对每一个有问题的网站都先用openssl s_client -connect unfixed.domain.com:port -showcerts 观查每一个证书的机构,找到这些机构的证书并装上。
首先是gmail的
openssl s_client -connect imap.gmail.com:993 -showcerts 写道
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIKVExoXgABAACEMTANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA0MTUwODQ1MjVaFw0xMzEyMzExNTU4NTBa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJcFLd/CvEAEYb
PComwfh/VJnV4I0AbErRIBztla7KdaOL3SN8a2lnKKZSkX9fhIMQ8mwCyZ8iWzLG
aXaWr64uChCH2lQNA6O5B/kcLeBfWV51Fwqiq6aRQxpYY7sUqOP03oABRLtBiFOq
wCCLLbkeEcjLuWzzebFk2HX6L++02wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBS3kDe0ZShOJvpTHlTbh4fjZtVf
lDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg
TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y
aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw
VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu
ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB
/wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB
gQA8MCOlbZZGyLz5byFAq6eFhNw74ahaKVW3QeskRkPUI7hkr37Kmoaq8PE9Oosk
lewH6mgDjheUb6DJJhNhnmcgkAvLfyq0fdDKceSwpTbV5xjcKp3/0G0lzKSMxB7C
oOzEcClsFNLx6EP4FsJS1ELJRGbop7xQF8Wz/5mr88HjFw==
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2108 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-RC4-SHA
Session-ID: 3871AB6D77F7C16A9E8E3307AEEFCB4AB388EFC619813DEED8411D29D2793F02
Session-ID-ctx:
Master-Key: 0FDAA85444D3879A3F8A569A783171A998D01ADAA3AC6C6A7CF5109CF4A67ACB753B5A184D9D53D9C8ADA7F3684B038E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - bc 52 af c7 83 85 57 69-f4 c3 11 a5 de 03 b9 ce .R....Wi........
0010 - 9f f1 ed 2f 05 92 79 f9-34 0c 58 92 35 c2 d1 10 .../..y.4.X.5...
0020 - ec d8 1a 85 fd ae 28 4c-71 df 16 6e 6c 5b db 8e ......(Lq..nl[..
0030 - 3a be b6 42 a0 72 c4 e5-90 a4 7d 5e df 54 2f cf :..B.r....}^.T/.
0040 - 77 23 6c 9d d3 2b c9 ad-c3 21 97 6b 0b 03 16 1c w#l..+...!.k....
0050 - e5 64 87 44 24 a0 0b 8a-18 bc d1 39 e1 7d b2 e2 .d.D$......9.}..
0060 - 95 2f 7f 80 0e 18 a0 8e-c3 bd b4 3f df 5a 3e 19 ./.........?.Z>.
0070 - 05 53 11 94 b5 cd 25 57-aa 51 10 15 c9 a9 c7 80 .S....%W.Q......
0080 - c7 77 6c 56 aa 4f f0 c7-dd 12 d3 5d 38 fd a9 93 .wlV.O.....]8...
0090 - e7 f1 19 93 ....
Start Time: 1377700456
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 114.94.24.194 df3pf18627873pbc.13
-ERR bad command df3pf18627873pbc.13
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIKVExoXgABAACEMTANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMzA0MTUwODQ1MjVaFw0xMzEyMzExNTU4NTBa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJcFLd/CvEAEYb
PComwfh/VJnV4I0AbErRIBztla7KdaOL3SN8a2lnKKZSkX9fhIMQ8mwCyZ8iWzLG
aXaWr64uChCH2lQNA6O5B/kcLeBfWV51Fwqiq6aRQxpYY7sUqOP03oABRLtBiFOq
wCCLLbkeEcjLuWzzebFk2HX6L++02wIDAQABo4IBUDCCAUwwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBS3kDe0ZShOJvpTHlTbh4fjZtVf
lDAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra42sSJDBbBgNVHR8EVDBSMFCg
TqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dvb2dsZUludGVybmV0QXV0aG9y
aXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNybDBmBggrBgEFBQcBAQRaMFgw
VgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29vZ2xlSW50ZXJu
ZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3J0MAwGA1UdEwEB
/wQCMAAwGAYDVR0RBBEwD4INcG9wLmdtYWlsLmNvbTANBgkqhkiG9w0BAQUFAAOB
gQA8MCOlbZZGyLz5byFAq6eFhNw74ahaKVW3QeskRkPUI7hkr37Kmoaq8PE9Oosk
lewH6mgDjheUb6DJJhNhnmcgkAvLfyq0fdDKceSwpTbV5xjcKp3/0G0lzKSMxB7C
oOzEcClsFNLx6EP4FsJS1ELJRGbop7xQF8Wz/5mr88HjFw==
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDFXfhMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTIxMjEyMTU1ODUwWhcNMTMxMjMxMTU1ODUw
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAfBgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHQ4EFgQUv8Aw
6/VDET5nup6R+/xq2uNrEiQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAvprjecFG+iJsxzEF
ZUNgujFQodUovxOWZshcnDW7fZ7mTlk3zpeVJrGPZzhaDhvuJjIfKqHweFB7gwB+
ARlIjNvrPq86fpVg0NOTawALkSqOUMl3MynBQO+spR7EHcRbADQ/JemfTEh2Ycfl
vZqhEFBfurZkX0eTANq98ZvVfpg=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2108 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-RC4-SHA
Session-ID: 3871AB6D77F7C16A9E8E3307AEEFCB4AB388EFC619813DEED8411D29D2793F02
Session-ID-ctx:
Master-Key: 0FDAA85444D3879A3F8A569A783171A998D01ADAA3AC6C6A7CF5109CF4A67ACB753B5A184D9D53D9C8ADA7F3684B038E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - bc 52 af c7 83 85 57 69-f4 c3 11 a5 de 03 b9 ce .R....Wi........
0010 - 9f f1 ed 2f 05 92 79 f9-34 0c 58 92 35 c2 d1 10 .../..y.4.X.5...
0020 - ec d8 1a 85 fd ae 28 4c-71 df 16 6e 6c 5b db 8e ......(Lq..nl[..
0030 - 3a be b6 42 a0 72 c4 e5-90 a4 7d 5e df 54 2f cf :..B.r....}^.T/.
0040 - 77 23 6c 9d d3 2b c9 ad-c3 21 97 6b 0b 03 16 1c w#l..+...!.k....
0050 - e5 64 87 44 24 a0 0b 8a-18 bc d1 39 e1 7d b2 e2 .d.D$......9.}..
0060 - 95 2f 7f 80 0e 18 a0 8e-c3 bd b4 3f df 5a 3e 19 ./.........?.Z>.
0070 - 05 53 11 94 b5 cd 25 57-aa 51 10 15 c9 a9 c7 80 .S....%W.Q......
0080 - c7 77 6c 56 aa 4f f0 c7-dd 12 d3 5d 38 fd a9 93 .wlV.O.....]8...
0090 - e7 f1 19 93 ....
Start Time: 1377700456
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 114.94.24.194 df3pf18627873pbc.13
-ERR bad command df3pf18627873pbc.13
再注意fetchmail里面的具体信息
fetmail -v 写道
正在尝试连接至 173.194.79.108/993...已连接。
fetchmail: 服务器证书验证错误: unable to get local issuer certificate
fetchmail: 这意味着根证书(为 /C=US/O=Google Inc/CN=Google Internet Authority 而颁发)不在 CA 证书受信路径处,或是 c_rehash 需要在证书目录下运行。详细信息请查看手册页中的 --sslcertpath 和 --sslcertfile 部分。
fetchmail: 服务器证书验证错误: unable to get local issuer certificate
fetchmail: 这意味着根证书(为 /C=US/O=Google Inc/CN=Google Internet Authority 而颁发)不在 CA 证书受信路径处,或是 c_rehash 需要在证书目录下运行。详细信息请查看手册页中的 --sslcertpath 和 --sslcertfile 部分。
从前面openssl 连接imap.gmail.com:993 的certificate chain来看
Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
根据众所周知的,证书的认证是自顶向下的,例如从CA向下面颁发证书,子机构再给孙机构颁发证书。其中有三个不同的名字出现,推断他们的关系为: pop.gmail.com -> Google Internet Authority -> Equifax Secure Certificate Authority (箭头方向指向上一级)
估计是因为equifax这个证书不存在,那么找到这个证书应该就行了。
可以在这里下到这个证书: http://www.geotrust.com/resources/root-certificates/index.html提醒一点:fetchmail貌似只认pem格式的证书(实际上是一堆base64编码后的内容)
下载之后放到某位置,例如 ~/.certs/下面。然后
$youname@domain ~ c_rehash .certs/ Doing .certs/ Equifax_Secure_Certificate_Authority.pem => 578d5c04.0然后再启动fetchmail,gmail的警告就不见了。同理去找到yahoo需要的根证书DigiCertHighAssuranceEVRootCA.crt
https://www.digicert.com/digicert-root-certificates.htm 写道
Root Certificates
DigiCert High Assurance EV Root CA Valid until: 10/Nov/2031
Serial #: 02:AC:5C:26:6A:0B:40:9B:8F:0B:79:F2:AE:46:25:77
Thumbprint: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
Test my browser for this root certificate
Download
DigiCert Assured ID Root CA Valid until: 10/Nov/2031
Serial #: 0C:E7:E0:E5:17:D8:46:FE:8F:E5:60:FC:1B:F0:30:39
Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Test my browser for this root certificate
Download
DigiCert Global Root CA Valid until: 10/Nov/2031
Serial #: 08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A
Thumbprint: A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
Test my browser for this root certificate
Download
注意下回来的这个crt不是pem格式的。(用文本编辑器打开一看便知)这时用openssl把这个证书转换成pem格式的既可
DigiCert High Assurance EV Root CA Valid until: 10/Nov/2031
Serial #: 02:AC:5C:26:6A:0B:40:9B:8F:0B:79:F2:AE:46:25:77
Thumbprint: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
Test my browser for this root certificate
Download
DigiCert Assured ID Root CA Valid until: 10/Nov/2031
Serial #: 0C:E7:E0:E5:17:D8:46:FE:8F:E5:60:FC:1B:F0:30:39
Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Test my browser for this root certificate
Download
DigiCert Global Root CA Valid until: 10/Nov/2031
Serial #: 08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A
Thumbprint: A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
Test my browser for this root certificate
Download
openssl x509 -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.pem -inform DER -outform PEM下载之后放到某位置,例如 ~/.certs/下面。 inform 和 outform里面的格式是碰运气测出来的,其他地方说是需要先转成DER。然后从DER再转到PEM。反正遇到出错的情况多试几次。
http://forums.novell.com/novell-product-discussions/collaboration/data-synchronizer/ds-mobility-pack/429592-problems-digicert-ssl-certificate.html 写道
Convert crt to der:
openssl x509 -in mobility.crt -out mobility.der -outform DER
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in mobility.der -out mobility.pem
openssl x509 -in mobility.crt -out mobility.der -outform DER
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in mobility.der -out mobility.pem
=====================================================================
更方便的解决证书问题的办法
=====================================================================
如果装了ca-certificate,那么在/usr/ssl/certs/下面存在一个ca-bundle.crt,从名字上看得出来这是一个证书合集。实际上这里面也包含了非常多的证书,没必要到处去下载了。到.fetchmailrc里指定一下
defaults mda "/usr/bin/procmail -f %F -d %T" sslcertck sslcertfile /usr/ssl/certs/ca-bundle.crt
这样里面每一个poll都会去ca-bundle.crt里去验证
注意:这个ca-bundle.crt不能用普通的办法生成pem,强行用openssl命令转换只能取出文件里第一个证书。