free CA?

Mike Wright mike.wright at mailinator.com
Tue Sep 10 17:42:09 UTC 2013 

09/10/2013 02:39 AM, J.Witvliet at mindef.nl wrote:
> See below :-)
> -----Original Message-----
> From: users-bounces at lists.fedoraproject.org [mailto:users-bounces at lists.fedoraproject.org] On Behalf Of Mike Wright
> Sent: Monday, September 09, 2013 10:47 PM
> To: Community support for Fedora users
> Subject: Re: free CA?
>
> 09/09/2013 02:23 AM, J.Witvliet at mindef.nl wrote:
>> -----Original Message-----
>> From: users-bounces at lists.fedoraproject.org [mailto:users-bounces at lists.fedoraproject.org] On Behalf Of Mike Wright
>> Sent: Saturday, September 07, 2013 8:02 PM
>> To: Fedora Users
>> Subject: free CA?
>>
>> Hi all,
>>
>> Does anybody know of a free CA (Certificate Authority) that is
>> recognized by common browsers?  I have some very low volume
>> non-commercial sites and cannot justify spending $100/year on
>> certificates for them.
>>
>> I tried CAcert by no matter what I did they said they could not contact
>> my mail server in order to verify me.  (Same server where my Fedora
>> Users mail arrives w/o problems.)  tcpdump shows they came and carried
>> on some sort of conversation.  Given all that I gave up on them.
>>
>> Any help would be greatly appreciated,
>> Mike Wright
>> -----Original Message-----
>>
>> Hi Mike,
>>
>> Perhaps worthwhile spending some more time on your email issue....
>> You did get certified? And subscribed to their M.L.? (there were some technical issues lately)
>>
>> At least your primary email-address should remain reachable by cacert.
>> You can test that, by issuing a client certificate: you should get notified for that.
>>
>> In case there is something odd with the email-address itself: You can expect the same by other CA-providers, as anyone needs to be able to verify your address.
>>
>> Hans (in private live also assurer for CAcert)
>
> Hallo Hans,
>
> Thanks for your help.
>
> I've successfully sent mail from Yahoo to the email address I'm using.
> I've also had friends from across the US successfully send email to that
> address; nonetheless, the signup session with CAcert always fails with:
>
> "Email Address given was invalid, or a test connection couldn't be made
> to your server, or the server rejected the email address as invalid
> Failed to make a connection to the mail server".
>
> Would it be OK if I contacted you off list at your mindef.nl email
> address?  Perhaps you could try sending me an email from where you are.
>    That may help me figure out what is breaking where.
>
> I've combed through my DNS and mailserver settings and found no errors
> (obvious to me).  This dns/mail setup has been working for about 14
> years (djbdns/qmail).
> -----Original Message-----
>
> Ah!
> Sounds familiar :-(
> Although not from cacert.org, I've seen similar complaints...
>
> At the risk of getting off-topic, this is what I got recently:
> Since a couple of days I get the same messages from gmail.com and others.
> It seems that they (finally) started implementing ipv6. When they see the originating IP-address, they try to do a reversed lookup & forward lookup. That fails (because of anonimity mode in V6 I get a randomized address) so several companies (like gmail) consider me a spammer and bounces email, just like yours.
> Do you run your own (outgoing) MTA? If so, you need a dedicated mail-account that uses your ISP mail-server ;-)
>
> You can send me directly: either at home (hwit at a-domani.nl) or at work.
> 99.9999% certain that it arrives (as long as it's not filtered out by our picky corporate filters, but these filter only upon suspicious content, they are not testing (apparent) sending addresses...
>

Once again it looks like I outsmarted myself.  Traced the problem down 
to my MTA's smtpd.cdb (db of allowed/denied IPs).  Somehow cacert's IP 
range was being denied.

I now have a client certificate but have no idea what to name it or 
where to install it :)

More information about the users mailing list