| 1 |
On Saturday 02 October 2010 11:31:38 meino.cramer@×××.de wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> fetchmail's log told me, that there is something wrong with the setup |
| 5 |
> of the certificats. |
| 6 |
> |
| 7 |
> In the log there is the following section |
| 8 |
> fetchmail: Server certificate: |
| 9 |
> fetchmail: Issuer Organization: Thawte Consulting cc |
| 10 |
> fetchmail: Issuer CommonName: Thawte Premium Server CA |
| 11 |
> fetchmail: Subject CommonName: pop.gmx.net |
| 12 |
> fetchmail: pop.gmx.net key fingerprint: |
| 13 |
> A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server |
| 14 |
> certificate verification error: unable to get local issuer certificate |
| 15 |
> fetchmail: This means that the root signing certificate (issued for |
| 16 |
> /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted |
| 17 |
> CA certificate locations, or that c_rehash needs to be run on the |
| 18 |
> certificate directory. For details, please see the documentation of |
| 19 |
> --sslcertpath and --sslcertfile in the manual page. fetchmail: Server |
| 20 |
> certificate: |
| 21 |
> fetchmail: Issuer Organization: Thawte Consulting cc |
| 22 |
> fetchmail: Issuer CommonName: Thawte Premium Server CA |
| 23 |
> fetchmail: Subject CommonName: pop.gmx.net |
| 24 |
> fetchmail: Server certificate verification error: certificate not |
| 25 |
> trusted fetchmail: Server certificate: |
| 26 |
> fetchmail: Issuer Organization: Thawte Consulting cc |
| 27 |
> fetchmail: Issuer CommonName: Thawte Premium Server CA |
| 28 |
> fetchmail: Subject CommonName: pop.gmx.net |
| 29 |
> fetchmail: Server certificate verification error: unable to verify the |
| 30 |
> first certificate fetchmail: Warning: the connection is insecure, |
| 31 |
> continuing anyways. (Better use --sslcertck!) |
| 32 |
> |
| 33 |
> |
| 34 |
> In beforehand I did the following: |
| 35 |
> |
| 36 |
> From the output of this command |
| 37 |
> #> openssl s_client -connect pop.gmx.net:995 -showcerts |
| 38 |
> |
| 39 |
> I copied the section |
| 40 |
> |
| 41 |
> -----BEGIN CERTIFICATE----- |
| 42 |
> MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB |
| 43 |
> zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ |
| 44 |
> Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE |
| 45 |
> CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh |
| 46 |
> d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl |
| 47 |
> cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow |
| 48 |
> WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo |
| 49 |
> MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ |
| 50 |
> KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j |
| 51 |
> k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH |
| 52 |
> YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l |
| 53 |
> Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax |
| 54 |
> hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy |
| 55 |
> bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk |
| 56 |
> MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB |
| 57 |
> BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc |
| 58 |
> yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX |
| 59 |
> jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ |
| 60 |
> -----END CERTIFICATE----- |
| 61 |
> |
| 62 |
> into a file "pop.gmx.net.pem" and copied ths file into |
| 63 |
> /etc/fetchmail/certs |
| 64 |
> |
| 65 |
> Than I downloaded the whole package of root certificates from here |
| 66 |
> https://www.verisign.com/support/thawte-roots.zip |
| 67 |
> unpacked it and copied each *.pem file into /etc/fetchmail/certs also. |
| 68 |
> I renamend the files to not to contain blanks with detox. |
| 69 |
> |
| 70 |
> |
| 71 |
> Then I run as root the command |
| 72 |
> $> c_rehash /etc/fetchmail/certs |
| 73 |
> |
| 74 |
> I checked /etc/fetchmail/certs and found all files being symlinked to |
| 75 |
> something which looks like hash keys (?). |
| 76 |
> |
| 77 |
> c_hash does not submit any error message. |
| 78 |
> |
| 79 |
> After this I added below the poll section of my accounts |
| 80 |
> $HOME/.fetchmailrc the following line: |
| 81 |
> |
| 82 |
> sslcertpath /etc/fetchmail/certs |
| 83 |
> |
| 84 |
> Nonetheless fetchmail complains about local certifcates. |
| 85 |
> |
| 86 |
> What do I have to do to fix this ? |
| 87 |
> |
| 88 |
> Best regards and thank you for any help in advance! |
| 89 |
> mcc |
| 90 |
|
| 91 |
Sendmail and I think fetchmail (haven't used the latter yet) do a strict check |
| 92 |
of certs against a local store. The error above tells you to add to your |
| 93 |
.fetchmailrc the option of sslcertck. Did you do that? |
| 94 |
|
| 95 |
So your .fetchmailrc should show something like: |
| 96 |
|
| 97 |
user 'mcc@gmx_whatever.com' with pass "123456" is 'mcc' here options ssl |
| 98 |
sslcertck sslcertpath '/etc/fetchmail/certs' |
| 99 |
|
| 100 |
If you have done the above and still does not work then the problem may be |
| 101 |
that the user you are running fetchmail as does not have read access to your |
| 102 |
/etc/fetchmail/certs. Change that to a ~/fetchmail/.certs and it should work. |
| 103 |
|
| 104 |
HTH. |
| 105 |
-- |
| 106 |
Regards, |
| 107 |
Mick |
Archives