| 1 |
Hi, |
| 2 |
|
| 3 |
fetchmail's log told me, that there is something wrong with the setup |
| 4 |
of the certificats. |
| 5 |
|
| 6 |
In the log there is the following section |
| 7 |
fetchmail: Server certificate: |
| 8 |
fetchmail: Issuer Organization: Thawte Consulting cc |
| 9 |
fetchmail: Issuer CommonName: Thawte Premium Server CA |
| 10 |
fetchmail: Subject CommonName: pop.gmx.net |
| 11 |
fetchmail: pop.gmx.net key fingerprint: A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 |
| 12 |
fetchmail: Server certificate verification error: unable to get local issuer certificate |
| 13 |
fetchmail: This means that the root signing certificate (issued for /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. |
| 14 |
fetchmail: Server certificate: |
| 15 |
fetchmail: Issuer Organization: Thawte Consulting cc |
| 16 |
fetchmail: Issuer CommonName: Thawte Premium Server CA |
| 17 |
fetchmail: Subject CommonName: pop.gmx.net |
| 18 |
fetchmail: Server certificate verification error: certificate not trusted |
| 19 |
fetchmail: Server certificate: |
| 20 |
fetchmail: Issuer Organization: Thawte Consulting cc |
| 21 |
fetchmail: Issuer CommonName: Thawte Premium Server CA |
| 22 |
fetchmail: Subject CommonName: pop.gmx.net |
| 23 |
fetchmail: Server certificate verification error: unable to verify the first certificate |
| 24 |
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!) |
| 25 |
|
| 26 |
|
| 27 |
In beforehand I did the following: |
| 28 |
|
| 29 |
From the output of this command |
| 30 |
#> openssl s_client -connect pop.gmx.net:995 -showcerts |
| 31 |
|
| 32 |
I copied the section |
| 33 |
|
| 34 |
-----BEGIN CERTIFICATE----- |
| 35 |
MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB |
| 36 |
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ |
| 37 |
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE |
| 38 |
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh |
| 39 |
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl |
| 40 |
cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow |
| 41 |
WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo |
| 42 |
MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ |
| 43 |
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j |
| 44 |
k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH |
| 45 |
YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l |
| 46 |
Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax |
| 47 |
hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy |
| 48 |
bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk |
| 49 |
MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB |
| 50 |
BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc |
| 51 |
yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX |
| 52 |
jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ |
| 53 |
-----END CERTIFICATE----- |
| 54 |
|
| 55 |
into a file "pop.gmx.net.pem" and copied ths file into |
| 56 |
/etc/fetchmail/certs |
| 57 |
|
| 58 |
Than I downloaded the whole package of root certificates from here |
| 59 |
https://www.verisign.com/support/thawte-roots.zip |
| 60 |
unpacked it and copied each *.pem file into /etc/fetchmail/certs also. |
| 61 |
I renamend the files to not to contain blanks with detox. |
| 62 |
|
| 63 |
|
| 64 |
Then I run as root the command |
| 65 |
$> c_rehash /etc/fetchmail/certs |
| 66 |
|
| 67 |
I checked /etc/fetchmail/certs and found all files being symlinked to |
| 68 |
something which looks like hash keys (?). |
| 69 |
|
| 70 |
c_hash does not submit any error message. |
| 71 |
|
| 72 |
After this I added below the poll section of my accounts |
| 73 |
$HOME/.fetchmailrc the following line: |
| 74 |
|
| 75 |
sslcertpath /etc/fetchmail/certs |
| 76 |
|
| 77 |
Nonetheless fetchmail complains about local certifcates. |
| 78 |
|
| 79 |
What do I have to do to fix this ? |
| 80 |
|
| 81 |
Best regards and thank you for any help in advance! |
| 82 |
mcc |
Archives