| View previous topic :: View next topic |
| Author |
Message |
njuk-njuk
n00b
Joined: 24 Aug 2003
Posts: 65
Location: New York, NY
|
 Posted: Mon May 15, 2006 11:44 pm Post subject: [solved] fetchmail: Server certificate verification error |
 |
|
after a recent gentoo update, i started getting the following messages from fetchmail for the various hosts i pull mail from...
| Code: | fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate |
here is my ~/.fetchmailrc [items in upper-case (other than POP3) are to obfuscate the actual values]...
| Code: | poll MAILHOST with proto POP3
user 'REMOTE_ME' there with password 'REMOTE_PASSWORD' is 'LOCAL_ME' here ssl fetchall |
after a bit of digging around on the net, i tried adding the following to my ~/.fetchmailrc...
| Code: | | sslcertpath $HOME/.certs |
then i got the certificate from MAILHOST and performed the following operations...
| Code: | $ openssl x509 -in ~/.certs/MAILHOST.crt -addtrust emailProtection -out ~/.certs/MAILHOST.pem
$ c_rehash ~/.certs |
regardless, i'm still getting the same message from fetchmail. i can still receive mail but would like to get rid of the messages.
Last edited by njuk-njuk on Tue Jul 25, 2006 7:09 am; edited 1 time in total |
|
| Back to top |
|
 |
njuk-njuk
n00b
Joined: 24 Aug 2003
Posts: 65
Location: New York, NY
|
| Posted: Tue Jul 25, 2006 7:09 am Post subject: |
|
|
i was very surprised i received no replies to this posting as i would have thought someone would have run across the same issue or knew the answer outright. luckily, after a few months of digging around in my spare time i figured this out. i will document the solution here in the event someone else stumbles across the same problem. i apologize in advance if my terminology is not exact; i am not an expert on ssl authentication. additionally, i am not really sure why this problem did not appear sooner as i had not changed my .fetchmailrc file for quite some time. the problem occured when i updated to a new version of gentoo, so it must have been a change in some system-wide configuration.
the general issue i eventually discovered is that all three of the independent mail servers i pull from generate their own root certificates. not only did i need to have the certificate of the mail server, but i needed to get their corresponding root certificate as well since they were not generated by a known authority.
here is my step-by-step solution to this issue...
assumptions:
my home directory is /home/foobar
my mailserver is pop.foobar.com running on port 995 (POP) [or port 993 if it is IMAP].
step 1: create a local repository for the certificates.
| Code: | | $ mkdir /home/foobar/.certs |
note: this sets them up on a per-user basis, otherwise you can put them in a system-wide location such as /usr/share/certs (which you'll likely have to create as well).
step 2: get mail server certificate.
| Code: | | openssl s_client -CApath /home/foobar/.certs -connect pop.foobar.com:995 -showcerts |
press Ctrl-D when you get the Ok line to terminate the session. scroll up through the output generated and copy/paste the lines of output inclusive of the lines listed below.
| Code: | -----BEGIN CERTIFICATE-----
...
<a whole lot of cryptic ascii here>
...
-----END CERTIFICATE----- |
save them in a file in /home/foobar/.certs. the file must end in a pem extension. for example, you could name the file pop.foobar.com.pem.
step 3: get the root certificate.
this will vary by location. in each case, i had to ask the sysadm or find it posted on their website. again, save the file (with a unique name) in /home/foobar/.certs with a pem extension. note: in all my cases the file had a crt extension, but renaming it to having a pem one works fine. verify that the file is similar to the one you created above, meaning that it has the BEGIN...END information.
step 4: run c_rehash on the certificates directory.
| Code: | | $ c_rehash /home/foobar/.certs |
you should see results similar to the following...
| Code: | Doing /home/foobar/.certs/
pop.foobar.com.pem => 12d56g8.0
CA.foobar.pem => a234ef78.0 |
step 5: recheck your work.
re-run the following command...
| Code: | | openssl s_client -CApath /home/foobar/.certs -connect pop.foobar.com:995 -showcerts |
scroll to the top of the output and look for a depth=1 which implies that the certificates are now in working order.
step 6: configure fetchmail.
first, get the fingerprint for the mailserver by using the following command.
| Code: | | $ openssl x509 -in pop.foobar.com.pem -noout -md5 -fingerprint |
you should see output similar to the following...
| Code: | | MD5 Fingerprint=A1:B2:C3:D4:E5:F6:G7:H8:I9:J0:K1:L2:M3:N4:O5:P6 |
you will use the part after MD5 Fingerprint= in your .fetchmailrc configuration as stated below.
i will assume that you already have a properly configured /home/foobar/.fetchmailrc file. the following information needs to be included...
| Code: | | ssl sslcertck sslfingerprint 'A1:B2:C3:D4:E5:F6:G7:H8:I9:J0:K1:L2:M3:N4:O5:P6' sslcertpath /home/foobar/.certs |
step 7: run fetchmail to test
if no errors are output, then you are all done. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
