Re: [gentoo-user] fetchmail + certs = problems - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] fetchmail + certs = problems
Date:	Sat, 02 Oct 2010 16:31:53
Message-Id:	`201010021730.53436.michaelkintzios@gmail.com`
In Reply to:	Re: [gentoo-user] fetchmail + certs = problems by meino.cramer@gmx.de

1

On Saturday 02 October 2010 15:17:01 meino.cramer@×××.de wrote:

2

> Mick <michaelkintzios@×××××.com> [10-10-02 13:52]:

3

> > On Saturday 02 October 2010 11:31:38 meino.cramer@×××.de wrote:

4

> > > Hi,

5

> > >

6

> > > fetchmail's log told me, that there is something wrong with the setup

7

> > > of the certificats.

8

> > >

9

> > > In the log there is the following section

10

> > >

11

> > >     fetchmail: Server certificate:

12

> > >     fetchmail: Issuer Organization: Thawte Consulting cc

13

> > >     fetchmail: Issuer CommonName: Thawte Premium Server CA

14

> > >     fetchmail: Subject CommonName: pop.gmx.net

15

> > >

16

> > >     fetchmail: pop.gmx.net key fingerprint:

17

> > > A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server

18

> > > certificate verification error: unable to get local issuer certificate

19

> > > fetchmail: This means that the root signing certificate (issued for

20

> > > /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the

21

> > > trusted CA certificate locations, or that c_rehash needs to be run on

22

> > > the certificate directory. For details, please see the documentation

23

> > > of --sslcertpath and --sslcertfile in the manual page. fetchmail:

24

> > > Server

25

> > >

26

> > > certificate:

27

> > >     fetchmail: Issuer Organization: Thawte Consulting cc

28

> > >     fetchmail: Issuer CommonName: Thawte Premium Server CA

29

> > >     fetchmail: Subject CommonName: pop.gmx.net

30

> > >     fetchmail: Server certificate verification error: certificate not

31

> > >

32

> > > trusted fetchmail: Server certificate:

33

> > >     fetchmail: Issuer Organization: Thawte Consulting cc

34

> > >     fetchmail: Issuer CommonName: Thawte Premium Server CA

35

> > >     fetchmail: Subject CommonName: pop.gmx.net

36

> > >     fetchmail: Server certificate verification error: unable to verify

37

> > >     the

38

> > >

39

> > > first certificate fetchmail: Warning: the connection is insecure,

40

> > > continuing anyways. (Better use --sslcertck!)

41

> > >

42

> > >

43

> > > In beforehand I did the following:

44

> > >

45

> > > From the output of this command

46

> > >

47

> > >     #> openssl s_client -connect pop.gmx.net:995 -showcerts

48

> > >

49

> > > I copied the section

50

> > >

51

> > >     -----BEGIN CERTIFICATE-----

52

> > >     MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB

53

> > >     zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ

54

> > >     Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE

55

> > >     CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh

56

> > >     d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl

57

> > >     cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow

58

> > >     WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo

59

> > >     MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ

60

> > >     KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j

61

> > >     k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH

62

> > >     YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l

63

> > >     Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax

64

> > >     hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy

65

> > >     bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk

66

> > >     MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB

67

> > >     BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc

68

> > >     yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX

69

> > >     jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ

70

> > >     -----END CERTIFICATE-----

71

> > >

72

> > > into a file "pop.gmx.net.pem" and copied ths file into

73

> > > /etc/fetchmail/certs

74

> > >

75

> > > Than I downloaded the whole package of root certificates from here

76

> > > https://www.verisign.com/support/thawte-roots.zip

77

> > > unpacked it and copied each *.pem file into /etc/fetchmail/certs also.

78

> > > I renamend the files to not to contain blanks with detox.

79

> > >

80

> > >

81

> > > Then I run as root the command

82

> > >

83

> > >     $> c_rehash /etc/fetchmail/certs

84

> > >

85

> > > I checked /etc/fetchmail/certs and found all files being symlinked to

86

> > > something which looks like hash keys (?).

87

> > >

88

> > > c_hash does not submit any error message.

89

> > >

90

> > > After this I added below the poll section of my accounts

91

> > >

92

> > > $HOME/.fetchmailrc the following line:

93

> > >     sslcertpath /etc/fetchmail/certs

94

> > >

95

> > > Nonetheless fetchmail complains about local certifcates.

96

> > >

97

> > > What do I have to do to fix this ?

98

> > >

99

> > > Best regards and thank you for any help in advance!

100

> > > mcc

101

> >

102

> > Sendmail and I think fetchmail (haven't used the latter yet) do a strict

103

> > check of certs against a local store.  The error above tells you to add

104

> > to your .fetchmailrc the option of sslcertck.  Did you do that?

105

> >

106

> > So your .fetchmailrc should show something like:

107

> >

108

> > user 'mcc@gmx_whatever.com' with pass "123456"  is 'mcc' here options ssl

109

> > sslcertck  sslcertpath '/etc/fetchmail/certs'

110

> >

111

> > If you have done the above and still does not work then the problem may

112

> > be that the user you are running fetchmail as does not have read access

113

> > to your /etc/fetchmail/certs.  Change that to a ~/fetchmail/.certs and

114

> > it should work.

115

> >

116

> > HTH.

117

>

118

> Hi Mick,

119

>

120

> thank you for your help. :)

121

>

122

> I currently have this line in my fetchtmailrc (the rest is commented out).

123

> This had worked until the ssl/cert-showdown:

124

>

125

>     poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password

126

> "<this is the password>" mda "/usr/bin/procmail -d %T"

127

>

128

> In the inet and in your post I found a totally different syntax...so

129

> it seems that I have lived behind the moon for a long time I didn't

130

> get all the new syntax changes according to fetchmail ;)

131

>

132

> I chenged the above line to

133

>     poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password

134

> "<this is the password>" mda "/usr/bin/procmail -d %T" options ssl

135

> sslcertck  sslcertpath '/etc/fetchmail/certs'

136

>

137

> which results with

138

>     fetchmail -v

139

> in

140

>     fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct  2

141

> 16:12:51 2010: poll started Trying to connect to

142

> 212.227.17.185/995...connected.

143

>     fetchmail: Server certificate:

144

>     fetchmail: Issuer Organization: Thawte Consulting cc

145

>     fetchmail: Issuer CommonName: Thawte Premium Server CA

146

>     fetchmail: Subject CommonName: pop.gmx.net

147

>     fetchmail: pop.gmx.net key fingerprint:

148

> A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server

149

> certificate verification error: unable to get local issuer certificate

150

> fetchmail: This means that the root signing certificate (issued for

151

> /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted

152

> CA certificate locations, or that c_rehash needs to be run on the

153

> certificate directory. For details, please see the documentation of

154

> --sslcertpath and --sslcertfile in the manual page.

155

> 17550:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate

156

> verify failed:s3_clnt.c:982: fetchmail: SSL connection failed.

157

>     fetchmail: socket error while fetching from

158

> Meino.Cramer@×××.de@pop.gmx.net fetchmail: 6.3.17 querying pop.gmx.net

159

> (protocol POP3) at Sat Oct  2 16:12:51 2010: poll completed fetchmail:

160

> Query status=2 (SOCKET)

161

>     fetchmail: normal termination, status 2

162

>

163

> ls -l /etc/fetchmail/certs:

164

>     total 44

165

>     lrwxrwxrwx 1 root root   30 Oct  2 12:10 09ca81a7.0 ->

166

> Thawte_Personal_Premium_CA.pem lrwxrwxrwx 1 root root   26 Oct  2 12:10

167

> 2e4eed3c.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root   28 Oct

168

> 2 12:10 3a7f6b22.0 -> Thawte_Personal_Basic_CA.pem lrwxrwxrwx 1 root root

169

>  50 Oct  2 12:10 415660c1.0 ->

170

> Class_3_Public_Primary_Certification_Authority.pem lrwxrwxrwx 1 root root

171

>  31 Oct  2 12:10 64d1f6f4.0 -> Thawte_Personal_Freemail_CA.pem lrwxrwxrwx

172

> 1 root root   31 Oct  2 12:10 64d1f6f4.1 ->

173

> thawte_Personal_Freemail_CA.pem lrwxrwxrwx 1 root root   20 Oct  2 12:10

174

> 6cc3c4c3.0 -> Thawte_Server_CA.pem lrwxrwxrwx 1 root root   28 Oct  2

175

> 12:10 98ec67f0.0 -> Thawte_Premium_Server_CA.pem lrwxrwxrwx 1 root root

176

> 26 Oct  2 12:10 9e6afd31.0 -> Thawte_Timestamping_CA.pem -rw-r--r-- 1 root

177

> root  833 Oct  2 12:06 Class_3_Public_Primary_Certification_Authority.pem

178

> -rw-r--r-- 1 root root 1167 Oct  2 12:06 Thawte_Personal_Basic_CA.pem

179

> -rw-r--r-- 1 root root 1183 Oct  2 12:06 Thawte_Personal_Freemail_CA.pem

180

> -rw-r--r-- 1 root root 1175 Oct  2 12:06 Thawte_Personal_Premium_CA.pem

181

> -rw-r--r-- 1 root root 1175 Oct  2 12:06 Thawte_Premium_Server_CA.pem

182

> -rw-r--r-- 1 root root 1146 Oct  2 12:06 Thawte_Server_CA.pem

183

>     -rw-r--r-- 1 root root  992 Oct  2 12:06 Thawte_Timestamping_CA.pem

184

>     lrwxrwxrwx 1 root root   33 Oct  2 12:10 c089bbbd.0 ->

185

> thawte_Primary_Root_CA-G2_ECC.pem lrwxrwxrwx 1 root root   15 Oct  2 12:10

186

> ec4e2774.0 -> pop.gmx.net.pem -rw-r--r-- 1 root root 1213 Oct  2 12:10

187

> pop.gmx.net.pem

188

>     -rw-r--r-- 1 root root 1164 Oct  2 12:06

189

> thawte_Personal_Freemail_CA.pem -rw-r--r-- 1 root root  939 Oct  2 12:06

190

> thawte_Primary_Root_CA-G2_ECC.pem -rw-r--r-- 1 root root 1493 Oct  2 12:06

191

> thawte_Primary_Root_CA.pem

192

>

193

> everything is world readable...

194

>

195

> Finally I did a fetchmail --version which gave me:

196

>     This is fetchmail release 6.3.17+RPA+NTLM+SDPS+SSL+NLS.

197

>

198

>     Copyright (C) 2002, 2003 Eric S. Raymond

199

>     Copyright (C) 2004 Matthias Andree, Eric S. Raymond,

200

>                        Robert M. Funk, Graham Wilson

201

>     Copyright (C) 2005 - 2006, 2010 Sunil Shetye

202

>     Copyright (C) 2005 - 2010 Matthias Andree

203

>     Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and

204

> you are welcome to redistribute it under certain conditions. For details,

205

> please see the file COPYING in the source or documentation directory.

206

>

207

>     Fallback MDA: (none)

208

>     Linux solfire 2.6.35.7 #2 SMP PREEMPT Thu Sep 30 14:29:29 CEST 2010

209

> x86_64 AMD Phenom(tm) II X6 1090T Processor AuthenticAMD GNU/Linux Taking

210

> options from command line and /home/mccramer/.fetchmailrc Idfile is

211

> /home/mccramer/.fetchids

212

>     Fetchmail will forward misaddressed multidrop messages to mccramer.

213

>     Options for retrieving from Meino.Cramer@×××.de@pop.gmx.net:

214

>       True name of server is pop.gmx.net.

215

>       Protocol is POP3.

216

>       All available authentication methods will be tried.

217

>       SSL encrypted sessions enabled.

218

>       SSL server certificate checking enabled.

219

>       SSL trusted certificate directory: /etc/fetchmail/certs

220

>       Server nonresponse timeout is 300 seconds (default).

221

>       Default mailbox selected.

222

>       Only new messages will be retrieved (--all off).

223

>       Fetched messages will not be kept on the server (--keep off).

224

>       Old messages will not be flushed before message retrieval (--flush

225

> off). Oversized messages will not be flushed before message retrieval

226

> (--limitflush off). Rewrite of server-local addresses is enabled

227

> (--norewrite off). Carriage-return stripping is enabled (stripcr on).

228

>       Carriage-return forcing is disabled (forcecr off).

229

>       Interpretation of Content-Transfer-Encoding is enabled (pass8bits

230

> off). MIME decoding is disabled (mimedecode off).

231

>       Idle after poll is disabled (idle off).

232

>       Nonempty Status lines will be kept (dropstatus off)

233

>       Delivered-To lines will be kept (dropdelivered off)

234

>       Fetch message size limit is 100 (--fetchsizelimit 100).

235

>       Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4).

236

>       Messages will be delivered with "/usr/bin/procmail -d %T".

237

>       Single-drop mode: 1 local name recognized.

238

>       No UIDs saved from this host.

239

>

240

> I have no clue, whether the certs are not accepted...

241

>

242

> What did I wrong?

243

>

244

> Best regards

245

> mcc

246

247

Hmm ... can't see anything amiss, but as I said I have not used fetchmail.  

248

Perhaps a more seasoned fetchmail gentooist will chime in here.

249

250

Until then three more things to check, or do:

251

252

Have you installed *all* the CA root certs?

253

254

(There may be some intermediate certs that are required - you will need the 

255

complete chain of the root certs saved in your  /etc/fetchmail/certs and then 

256

run c_rehash.  Check the atime of the contents of your /etc/fetchmail/certs to 

257

make sure that the c_rehash worked).

258

259

Also add:

260

261

sslfingerprint A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6

262

263

to your fetchtmailrc.

264

265

Finally, just in case the access rights are somewhat incorrect, copy your 

266

/etc/fetchmail/certs to ~/.fetchmail/.certs and run c_rehash for that 

267

directory.

268

269

HTH.

270

--

271

Regards,

272

Mick

Gentoo Archives: gentoo-user

Attachments

1	On Saturday 02 October 2010 15:17:01 meino.cramer@×××.de wrote:
2	> Mick <michaelkintzios@×××××.com> [10-10-02 13:52]:
3	> > On Saturday 02 October 2010 11:31:38 meino.cramer@×××.de wrote:
4	> > > Hi,
5	> > >
6	> > > fetchmail's log told me, that there is something wrong with the setup
7	> > > of the certificats.
8	> > >
9	> > > In the log there is the following section
10	> > >
11	> > > fetchmail: Server certificate:
12	> > > fetchmail: Issuer Organization: Thawte Consulting cc
13	> > > fetchmail: Issuer CommonName: Thawte Premium Server CA
14	> > > fetchmail: Subject CommonName: pop.gmx.net
15	> > >
16	> > > fetchmail: pop.gmx.net key fingerprint:
17	> > > A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server
18	> > > certificate verification error: unable to get local issuer certificate
19	> > > fetchmail: This means that the root signing certificate (issued for
20	> > > /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the
21	> > > trusted CA certificate locations, or that c_rehash needs to be run on
22	> > > the certificate directory. For details, please see the documentation
23	> > > of --sslcertpath and --sslcertfile in the manual page. fetchmail:
24	> > > Server
25	> > >
26	> > > certificate:
27	> > > fetchmail: Issuer Organization: Thawte Consulting cc
28	> > > fetchmail: Issuer CommonName: Thawte Premium Server CA
29	> > > fetchmail: Subject CommonName: pop.gmx.net
30	> > > fetchmail: Server certificate verification error: certificate not
31	> > >
32	> > > trusted fetchmail: Server certificate:
33	> > > fetchmail: Issuer Organization: Thawte Consulting cc
34	> > > fetchmail: Issuer CommonName: Thawte Premium Server CA
35	> > > fetchmail: Subject CommonName: pop.gmx.net
36	> > > fetchmail: Server certificate verification error: unable to verify
37	> > > the
38	> > >
39	> > > first certificate fetchmail: Warning: the connection is insecure,
40	> > > continuing anyways. (Better use --sslcertck!)
41	> > >
42	> > >
43	> > > In beforehand I did the following:
44	> > >
45	> > > From the output of this command
46	> > >
47	> > > #> openssl s_client -connect pop.gmx.net:995 -showcerts
48	> > >
49	> > > I copied the section
50	> > >
51	> > > -----BEGIN CERTIFICATE-----
52	> > > MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB
53	> > > zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
54	> > > Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
55	> > > CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
56	> > > d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
57	> > > cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow
58	> > > WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo
59	> > > MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ
60	> > > KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j
61	> > > k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH
62	> > > YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l
63	> > > Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax
64	> > > hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy
65	> > > bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk
66	> > > MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB
67	> > > BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc
68	> > > yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX
69	> > > jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ
70	> > > -----END CERTIFICATE-----
71	> > >
72	> > > into a file "pop.gmx.net.pem" and copied ths file into
73	> > > /etc/fetchmail/certs
74	> > >
75	> > > Than I downloaded the whole package of root certificates from here
76	> > > https://www.verisign.com/support/thawte-roots.zip
77	> > > unpacked it and copied each *.pem file into /etc/fetchmail/certs also.
78	> > > I renamend the files to not to contain blanks with detox.
79	> > >
80	> > >
81	> > > Then I run as root the command
82	> > >
83	> > > $> c_rehash /etc/fetchmail/certs
84	> > >
85	> > > I checked /etc/fetchmail/certs and found all files being symlinked to
86	> > > something which looks like hash keys (?).
87	> > >
88	> > > c_hash does not submit any error message.
89	> > >
90	> > > After this I added below the poll section of my accounts
91	> > >
92	> > > $HOME/.fetchmailrc the following line:
93	> > > sslcertpath /etc/fetchmail/certs
94	> > >
95	> > > Nonetheless fetchmail complains about local certifcates.
96	> > >
97	> > > What do I have to do to fix this ?
98	> > >
99	> > > Best regards and thank you for any help in advance!
100	> > > mcc
101	> >
102	> > Sendmail and I think fetchmail (haven't used the latter yet) do a strict
103	> > check of certs against a local store. The error above tells you to add
104	> > to your .fetchmailrc the option of sslcertck. Did you do that?
105	> >
106	> > So your .fetchmailrc should show something like:
107	> >
108	> > user 'mcc@gmx_whatever.com' with pass "123456" is 'mcc' here options ssl
109	> > sslcertck sslcertpath '/etc/fetchmail/certs'
110	> >
111	> > If you have done the above and still does not work then the problem may
112	> > be that the user you are running fetchmail as does not have read access
113	> > to your /etc/fetchmail/certs. Change that to a ~/fetchmail/.certs and
114	> > it should work.
115	> >
116	> > HTH.
117	>
118	> Hi Mick,
119	>
120	> thank you for your help. :)
121	>
122	> I currently have this line in my fetchtmailrc (the rest is commented out).
123	> This had worked until the ssl/cert-showdown:
124	>
125	> poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password
126	> "<this is the password>" mda "/usr/bin/procmail -d %T"
127	>
128	> In the inet and in your post I found a totally different syntax...so
129	> it seems that I have lived behind the moon for a long time I didn't
130	> get all the new syntax changes according to fetchmail ;)
131	>
132	> I chenged the above line to
133	> poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password
134	> "<this is the password>" mda "/usr/bin/procmail -d %T" options ssl
135	> sslcertck sslcertpath '/etc/fetchmail/certs'
136	>
137	> which results with
138	> fetchmail -v
139	> in
140	> fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct 2
141	> 16:12:51 2010: poll started Trying to connect to
142	> 212.227.17.185/995...connected.
143	> fetchmail: Server certificate:
144	> fetchmail: Issuer Organization: Thawte Consulting cc
145	> fetchmail: Issuer CommonName: Thawte Premium Server CA
146	> fetchmail: Subject CommonName: pop.gmx.net
147	> fetchmail: pop.gmx.net key fingerprint:
148	> A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server
149	> certificate verification error: unable to get local issuer certificate
150	> fetchmail: This means that the root signing certificate (issued for
151	> /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted
152	> CA certificate locations, or that c_rehash needs to be run on the
153	> certificate directory. For details, please see the documentation of
154	> --sslcertpath and --sslcertfile in the manual page.
155	> 17550:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
156	> verify failed:s3_clnt.c:982: fetchmail: SSL connection failed.
157	> fetchmail: socket error while fetching from
158	> Meino.Cramer@×××.de@pop.gmx.net fetchmail: 6.3.17 querying pop.gmx.net
159	> (protocol POP3) at Sat Oct 2 16:12:51 2010: poll completed fetchmail:
160	> Query status=2 (SOCKET)
161	> fetchmail: normal termination, status 2
162	>
163	> ls -l /etc/fetchmail/certs:
164	> total 44
165	> lrwxrwxrwx 1 root root 30 Oct 2 12:10 09ca81a7.0 ->
166	> Thawte_Personal_Premium_CA.pem lrwxrwxrwx 1 root root 26 Oct 2 12:10
167	> 2e4eed3c.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root 28 Oct
168	> 2 12:10 3a7f6b22.0 -> Thawte_Personal_Basic_CA.pem lrwxrwxrwx 1 root root
169	> 50 Oct 2 12:10 415660c1.0 ->
170	> Class_3_Public_Primary_Certification_Authority.pem lrwxrwxrwx 1 root root
171	> 31 Oct 2 12:10 64d1f6f4.0 -> Thawte_Personal_Freemail_CA.pem lrwxrwxrwx
172	> 1 root root 31 Oct 2 12:10 64d1f6f4.1 ->
173	> thawte_Personal_Freemail_CA.pem lrwxrwxrwx 1 root root 20 Oct 2 12:10
174	> 6cc3c4c3.0 -> Thawte_Server_CA.pem lrwxrwxrwx 1 root root 28 Oct 2
175	> 12:10 98ec67f0.0 -> Thawte_Premium_Server_CA.pem lrwxrwxrwx 1 root root
176	> 26 Oct 2 12:10 9e6afd31.0 -> Thawte_Timestamping_CA.pem -rw-r--r-- 1 root
177	> root 833 Oct 2 12:06 Class_3_Public_Primary_Certification_Authority.pem
178	> -rw-r--r-- 1 root root 1167 Oct 2 12:06 Thawte_Personal_Basic_CA.pem
179	> -rw-r--r-- 1 root root 1183 Oct 2 12:06 Thawte_Personal_Freemail_CA.pem
180	> -rw-r--r-- 1 root root 1175 Oct 2 12:06 Thawte_Personal_Premium_CA.pem
181	> -rw-r--r-- 1 root root 1175 Oct 2 12:06 Thawte_Premium_Server_CA.pem
182	> -rw-r--r-- 1 root root 1146 Oct 2 12:06 Thawte_Server_CA.pem
183	> -rw-r--r-- 1 root root 992 Oct 2 12:06 Thawte_Timestamping_CA.pem
184	> lrwxrwxrwx 1 root root 33 Oct 2 12:10 c089bbbd.0 ->
185	> thawte_Primary_Root_CA-G2_ECC.pem lrwxrwxrwx 1 root root 15 Oct 2 12:10
186	> ec4e2774.0 -> pop.gmx.net.pem -rw-r--r-- 1 root root 1213 Oct 2 12:10
187	> pop.gmx.net.pem
188	> -rw-r--r-- 1 root root 1164 Oct 2 12:06
189	> thawte_Personal_Freemail_CA.pem -rw-r--r-- 1 root root 939 Oct 2 12:06
190	> thawte_Primary_Root_CA-G2_ECC.pem -rw-r--r-- 1 root root 1493 Oct 2 12:06
191	> thawte_Primary_Root_CA.pem
192	>
193	> everything is world readable...
194	>
195	> Finally I did a fetchmail --version which gave me:
196	> This is fetchmail release 6.3.17+RPA+NTLM+SDPS+SSL+NLS.
197	>
198	> Copyright (C) 2002, 2003 Eric S. Raymond
199	> Copyright (C) 2004 Matthias Andree, Eric S. Raymond,
200	> Robert M. Funk, Graham Wilson
201	> Copyright (C) 2005 - 2006, 2010 Sunil Shetye
202	> Copyright (C) 2005 - 2010 Matthias Andree
203	> Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and
204	> you are welcome to redistribute it under certain conditions. For details,
205	> please see the file COPYING in the source or documentation directory.
206	>
207	> Fallback MDA: (none)
208	> Linux solfire 2.6.35.7 #2 SMP PREEMPT Thu Sep 30 14:29:29 CEST 2010
209	> x86_64 AMD Phenom(tm) II X6 1090T Processor AuthenticAMD GNU/Linux Taking
210	> options from command line and /home/mccramer/.fetchmailrc Idfile is
211	> /home/mccramer/.fetchids
212	> Fetchmail will forward misaddressed multidrop messages to mccramer.
213	> Options for retrieving from Meino.Cramer@×××.de@pop.gmx.net:
214	> True name of server is pop.gmx.net.
215	> Protocol is POP3.
216	> All available authentication methods will be tried.
217	> SSL encrypted sessions enabled.
218	> SSL server certificate checking enabled.
219	> SSL trusted certificate directory: /etc/fetchmail/certs
220	> Server nonresponse timeout is 300 seconds (default).
221	> Default mailbox selected.
222	> Only new messages will be retrieved (--all off).
223	> Fetched messages will not be kept on the server (--keep off).
224	> Old messages will not be flushed before message retrieval (--flush
225	> off). Oversized messages will not be flushed before message retrieval
226	> (--limitflush off). Rewrite of server-local addresses is enabled
227	> (--norewrite off). Carriage-return stripping is enabled (stripcr on).
228	> Carriage-return forcing is disabled (forcecr off).
229	> Interpretation of Content-Transfer-Encoding is enabled (pass8bits
230	> off). MIME decoding is disabled (mimedecode off).
231	> Idle after poll is disabled (idle off).
232	> Nonempty Status lines will be kept (dropstatus off)
233	> Delivered-To lines will be kept (dropdelivered off)
234	> Fetch message size limit is 100 (--fetchsizelimit 100).
235	> Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4).
236	> Messages will be delivered with "/usr/bin/procmail -d %T".
237	> Single-drop mode: 1 local name recognized.
238	> No UIDs saved from this host.
239	>
240	> I have no clue, whether the certs are not accepted...
241	>
242	> What did I wrong?
243	>
244	> Best regards
245	> mcc
246
247	Hmm ... can't see anything amiss, but as I said I have not used fetchmail.
248	Perhaps a more seasoned fetchmail gentooist will chime in here.
249
250	Until then three more things to check, or do:
251
252	Have you installed all the CA root certs?
253
254	(There may be some intermediate certs that are required - you will need the
255	complete chain of the root certs saved in your /etc/fetchmail/certs and then
256	run c_rehash. Check the atime of the contents of your /etc/fetchmail/certs to
257	make sure that the c_rehash worked).
258
259	Also add:
260
261	sslfingerprint A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6
262
263	to your fetchtmailrc.
264
265	Finally, just in case the access rights are somewhat incorrect, copy your
266	/etc/fetchmail/certs to ~/.fetchmail/.certs and run c_rehash for that
267	directory.
268
269	HTH.
270	--
271	Regards,
272	Mick