Self-signed certificate is ignored?

Help
2007-01-23
2013-04-16
  • cy_sfnet_2007
    cy_sfnet_2007
    2007-01-23

    I'm trying to skip the "Server cerifticate could not be verified" prompt. Everything (user, pass, mounting, etc) works fine, except that annoying "[yN]" question, I want to skip it.

    So I've copied the CA certificate of my WebDav Server under "/etc/ssl/" (which "/usr/lib/ssl" is a symlink to). I've moved them under "certs" and "private", and with all my desparation I've even copied everything (private key, certificate, and even csr) from my WebDav server to the client.

    The only workaround I've come so far is "echo y | mount /home/webdav/ox_files/" which is, goes without saying, b.ttugly and insecure.

    Can someone please explain me in detail, what is needed, how the files should be renamed and where they should be copied under?

    TIA.

     
    • Werner Baumann
      Werner Baumann
      2007-01-27

      Most propably OpenSSL does not recognize your certificate because it does not know the file name. For OpenSSL to find a certificate, the filename must be a hash value of the name of the certificate owner. You can create this hash value using the 'openssl x509' command. Usually symbolik links are created, using command substitution like this

      # ln -s certfile.pem `openssl x509 -in certfile.pem -hash -noout`.0

      This will create a symbolik link to file certfile.pem with a name like 'e268a4c5.0'. Of course 'certfile.pem' must be replaced by the name of your file.

      If this does not work, there may be some mismatch between the versions of neon, openssl and davfs2. This should not happen, if you build davfs2 on your system from the source package or if you got it from your distribution. But it might happen with the binary version of davfs2 (because I build it on Debian Sarge, but other distributions may have configured SSL differently from Debian).

      You definitely don't need the private key, its really private to the server, and you should delete it from your client. The certificate also should not go into some private directory, but into the same directory where all the other CA-dertifacates can be foud.

      Greetings
      Werner