1 |
On Saturday 02 October 2010 11:31:38 meino.cramer@×××.de wrote: |
2 |
> Hi, |
3 |
> |
4 |
> fetchmail's log told me, that there is something wrong with the setup |
5 |
> of the certificats. |
6 |
> |
7 |
> In the log there is the following section |
8 |
> fetchmail: Server certificate: |
9 |
> fetchmail: Issuer Organization: Thawte Consulting cc |
10 |
> fetchmail: Issuer CommonName: Thawte Premium Server CA |
11 |
> fetchmail: Subject CommonName: pop.gmx.net |
12 |
> fetchmail: pop.gmx.net key fingerprint: |
13 |
> A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server |
14 |
> certificate verification error: unable to get local issuer certificate |
15 |
> fetchmail: This means that the root signing certificate (issued for |
16 |
> /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted |
17 |
> CA certificate locations, or that c_rehash needs to be run on the |
18 |
> certificate directory. For details, please see the documentation of |
19 |
> --sslcertpath and --sslcertfile in the manual page. fetchmail: Server |
20 |
> certificate: |
21 |
> fetchmail: Issuer Organization: Thawte Consulting cc |
22 |
> fetchmail: Issuer CommonName: Thawte Premium Server CA |
23 |
> fetchmail: Subject CommonName: pop.gmx.net |
24 |
> fetchmail: Server certificate verification error: certificate not |
25 |
> trusted fetchmail: Server certificate: |
26 |
> fetchmail: Issuer Organization: Thawte Consulting cc |
27 |
> fetchmail: Issuer CommonName: Thawte Premium Server CA |
28 |
> fetchmail: Subject CommonName: pop.gmx.net |
29 |
> fetchmail: Server certificate verification error: unable to verify the |
30 |
> first certificate fetchmail: Warning: the connection is insecure, |
31 |
> continuing anyways. (Better use --sslcertck!) |
32 |
> |
33 |
> |
34 |
> In beforehand I did the following: |
35 |
> |
36 |
> From the output of this command |
37 |
> #> openssl s_client -connect pop.gmx.net:995 -showcerts |
38 |
> |
39 |
> I copied the section |
40 |
> |
41 |
> -----BEGIN CERTIFICATE----- |
42 |
> MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB |
43 |
> zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ |
44 |
> Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE |
45 |
> CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh |
46 |
> d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl |
47 |
> cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow |
48 |
> WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo |
49 |
> MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ |
50 |
> KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j |
51 |
> k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH |
52 |
> YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l |
53 |
> Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax |
54 |
> hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy |
55 |
> bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk |
56 |
> MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB |
57 |
> BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc |
58 |
> yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX |
59 |
> jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ |
60 |
> -----END CERTIFICATE----- |
61 |
> |
62 |
> into a file "pop.gmx.net.pem" and copied ths file into |
63 |
> /etc/fetchmail/certs |
64 |
> |
65 |
> Than I downloaded the whole package of root certificates from here |
66 |
> https://www.verisign.com/support/thawte-roots.zip |
67 |
> unpacked it and copied each *.pem file into /etc/fetchmail/certs also. |
68 |
> I renamend the files to not to contain blanks with detox. |
69 |
> |
70 |
> |
71 |
> Then I run as root the command |
72 |
> $> c_rehash /etc/fetchmail/certs |
73 |
> |
74 |
> I checked /etc/fetchmail/certs and found all files being symlinked to |
75 |
> something which looks like hash keys (?). |
76 |
> |
77 |
> c_hash does not submit any error message. |
78 |
> |
79 |
> After this I added below the poll section of my accounts |
80 |
> $HOME/.fetchmailrc the following line: |
81 |
> |
82 |
> sslcertpath /etc/fetchmail/certs |
83 |
> |
84 |
> Nonetheless fetchmail complains about local certifcates. |
85 |
> |
86 |
> What do I have to do to fix this ? |
87 |
> |
88 |
> Best regards and thank you for any help in advance! |
89 |
> mcc |
90 |
|
91 |
Sendmail and I think fetchmail (haven't used the latter yet) do a strict check |
92 |
of certs against a local store. The error above tells you to add to your |
93 |
.fetchmailrc the option of sslcertck. Did you do that? |
94 |
|
95 |
So your .fetchmailrc should show something like: |
96 |
|
97 |
user 'mcc@gmx_whatever.com' with pass "123456" is 'mcc' here options ssl |
98 |
sslcertck sslcertpath '/etc/fetchmail/certs' |
99 |
|
100 |
If you have done the above and still does not work then the problem may be |
101 |
that the user you are running fetchmail as does not have read access to your |
102 |
/etc/fetchmail/certs. Change that to a ~/fetchmail/.certs and it should work. |
103 |
|
104 |
HTH. |
105 |
-- |
106 |
Regards, |
107 |
Mick |