1 |
On Saturday 02 October 2010 15:17:01 meino.cramer@×××.de wrote: |
2 |
> Mick <michaelkintzios@×××××.com> [10-10-02 13:52]: |
3 |
> > On Saturday 02 October 2010 11:31:38 meino.cramer@×××.de wrote: |
4 |
> > > Hi, |
5 |
> > > |
6 |
> > > fetchmail's log told me, that there is something wrong with the setup |
7 |
> > > of the certificats. |
8 |
> > > |
9 |
> > > In the log there is the following section |
10 |
> > > |
11 |
> > > fetchmail: Server certificate: |
12 |
> > > fetchmail: Issuer Organization: Thawte Consulting cc |
13 |
> > > fetchmail: Issuer CommonName: Thawte Premium Server CA |
14 |
> > > fetchmail: Subject CommonName: pop.gmx.net |
15 |
> > > |
16 |
> > > fetchmail: pop.gmx.net key fingerprint: |
17 |
> > > A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server |
18 |
> > > certificate verification error: unable to get local issuer certificate |
19 |
> > > fetchmail: This means that the root signing certificate (issued for |
20 |
> > > /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the |
21 |
> > > trusted CA certificate locations, or that c_rehash needs to be run on |
22 |
> > > the certificate directory. For details, please see the documentation |
23 |
> > > of --sslcertpath and --sslcertfile in the manual page. fetchmail: |
24 |
> > > Server |
25 |
> > > |
26 |
> > > certificate: |
27 |
> > > fetchmail: Issuer Organization: Thawte Consulting cc |
28 |
> > > fetchmail: Issuer CommonName: Thawte Premium Server CA |
29 |
> > > fetchmail: Subject CommonName: pop.gmx.net |
30 |
> > > fetchmail: Server certificate verification error: certificate not |
31 |
> > > |
32 |
> > > trusted fetchmail: Server certificate: |
33 |
> > > fetchmail: Issuer Organization: Thawte Consulting cc |
34 |
> > > fetchmail: Issuer CommonName: Thawte Premium Server CA |
35 |
> > > fetchmail: Subject CommonName: pop.gmx.net |
36 |
> > > fetchmail: Server certificate verification error: unable to verify |
37 |
> > > the |
38 |
> > > |
39 |
> > > first certificate fetchmail: Warning: the connection is insecure, |
40 |
> > > continuing anyways. (Better use --sslcertck!) |
41 |
> > > |
42 |
> > > |
43 |
> > > In beforehand I did the following: |
44 |
> > > |
45 |
> > > From the output of this command |
46 |
> > > |
47 |
> > > #> openssl s_client -connect pop.gmx.net:995 -showcerts |
48 |
> > > |
49 |
> > > I copied the section |
50 |
> > > |
51 |
> > > -----BEGIN CERTIFICATE----- |
52 |
> > > MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB |
53 |
> > > zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ |
54 |
> > > Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE |
55 |
> > > CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh |
56 |
> > > d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl |
57 |
> > > cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow |
58 |
> > > WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo |
59 |
> > > MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ |
60 |
> > > KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j |
61 |
> > > k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH |
62 |
> > > YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l |
63 |
> > > Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax |
64 |
> > > hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy |
65 |
> > > bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk |
66 |
> > > MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB |
67 |
> > > BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc |
68 |
> > > yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX |
69 |
> > > jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ |
70 |
> > > -----END CERTIFICATE----- |
71 |
> > > |
72 |
> > > into a file "pop.gmx.net.pem" and copied ths file into |
73 |
> > > /etc/fetchmail/certs |
74 |
> > > |
75 |
> > > Than I downloaded the whole package of root certificates from here |
76 |
> > > https://www.verisign.com/support/thawte-roots.zip |
77 |
> > > unpacked it and copied each *.pem file into /etc/fetchmail/certs also. |
78 |
> > > I renamend the files to not to contain blanks with detox. |
79 |
> > > |
80 |
> > > |
81 |
> > > Then I run as root the command |
82 |
> > > |
83 |
> > > $> c_rehash /etc/fetchmail/certs |
84 |
> > > |
85 |
> > > I checked /etc/fetchmail/certs and found all files being symlinked to |
86 |
> > > something which looks like hash keys (?). |
87 |
> > > |
88 |
> > > c_hash does not submit any error message. |
89 |
> > > |
90 |
> > > After this I added below the poll section of my accounts |
91 |
> > > |
92 |
> > > $HOME/.fetchmailrc the following line: |
93 |
> > > sslcertpath /etc/fetchmail/certs |
94 |
> > > |
95 |
> > > Nonetheless fetchmail complains about local certifcates. |
96 |
> > > |
97 |
> > > What do I have to do to fix this ? |
98 |
> > > |
99 |
> > > Best regards and thank you for any help in advance! |
100 |
> > > mcc |
101 |
> > |
102 |
> > Sendmail and I think fetchmail (haven't used the latter yet) do a strict |
103 |
> > check of certs against a local store. The error above tells you to add |
104 |
> > to your .fetchmailrc the option of sslcertck. Did you do that? |
105 |
> > |
106 |
> > So your .fetchmailrc should show something like: |
107 |
> > |
108 |
> > user 'mcc@gmx_whatever.com' with pass "123456" is 'mcc' here options ssl |
109 |
> > sslcertck sslcertpath '/etc/fetchmail/certs' |
110 |
> > |
111 |
> > If you have done the above and still does not work then the problem may |
112 |
> > be that the user you are running fetchmail as does not have read access |
113 |
> > to your /etc/fetchmail/certs. Change that to a ~/fetchmail/.certs and |
114 |
> > it should work. |
115 |
> > |
116 |
> > HTH. |
117 |
> |
118 |
> Hi Mick, |
119 |
> |
120 |
> thank you for your help. :) |
121 |
> |
122 |
> I currently have this line in my fetchtmailrc (the rest is commented out). |
123 |
> This had worked until the ssl/cert-showdown: |
124 |
> |
125 |
> poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password |
126 |
> "<this is the password>" mda "/usr/bin/procmail -d %T" |
127 |
> |
128 |
> In the inet and in your post I found a totally different syntax...so |
129 |
> it seems that I have lived behind the moon for a long time I didn't |
130 |
> get all the new syntax changes according to fetchmail ;) |
131 |
> |
132 |
> I chenged the above line to |
133 |
> poll pop.gmx.net protocol pop3 user "Meino.Cramer@×××.de" password |
134 |
> "<this is the password>" mda "/usr/bin/procmail -d %T" options ssl |
135 |
> sslcertck sslcertpath '/etc/fetchmail/certs' |
136 |
> |
137 |
> which results with |
138 |
> fetchmail -v |
139 |
> in |
140 |
> fetchmail: 6.3.17 querying pop.gmx.net (protocol POP3) at Sat Oct 2 |
141 |
> 16:12:51 2010: poll started Trying to connect to |
142 |
> 212.227.17.185/995...connected. |
143 |
> fetchmail: Server certificate: |
144 |
> fetchmail: Issuer Organization: Thawte Consulting cc |
145 |
> fetchmail: Issuer CommonName: Thawte Premium Server CA |
146 |
> fetchmail: Subject CommonName: pop.gmx.net |
147 |
> fetchmail: pop.gmx.net key fingerprint: |
148 |
> A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server |
149 |
> certificate verification error: unable to get local issuer certificate |
150 |
> fetchmail: This means that the root signing certificate (issued for |
151 |
> /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted |
152 |
> CA certificate locations, or that c_rehash needs to be run on the |
153 |
> certificate directory. For details, please see the documentation of |
154 |
> --sslcertpath and --sslcertfile in the manual page. |
155 |
> 17550:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate |
156 |
> verify failed:s3_clnt.c:982: fetchmail: SSL connection failed. |
157 |
> fetchmail: socket error while fetching from |
158 |
> Meino.Cramer@×××.de@pop.gmx.net fetchmail: 6.3.17 querying pop.gmx.net |
159 |
> (protocol POP3) at Sat Oct 2 16:12:51 2010: poll completed fetchmail: |
160 |
> Query status=2 (SOCKET) |
161 |
> fetchmail: normal termination, status 2 |
162 |
> |
163 |
> ls -l /etc/fetchmail/certs: |
164 |
> total 44 |
165 |
> lrwxrwxrwx 1 root root 30 Oct 2 12:10 09ca81a7.0 -> |
166 |
> Thawte_Personal_Premium_CA.pem lrwxrwxrwx 1 root root 26 Oct 2 12:10 |
167 |
> 2e4eed3c.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root 28 Oct |
168 |
> 2 12:10 3a7f6b22.0 -> Thawte_Personal_Basic_CA.pem lrwxrwxrwx 1 root root |
169 |
> 50 Oct 2 12:10 415660c1.0 -> |
170 |
> Class_3_Public_Primary_Certification_Authority.pem lrwxrwxrwx 1 root root |
171 |
> 31 Oct 2 12:10 64d1f6f4.0 -> Thawte_Personal_Freemail_CA.pem lrwxrwxrwx |
172 |
> 1 root root 31 Oct 2 12:10 64d1f6f4.1 -> |
173 |
> thawte_Personal_Freemail_CA.pem lrwxrwxrwx 1 root root 20 Oct 2 12:10 |
174 |
> 6cc3c4c3.0 -> Thawte_Server_CA.pem lrwxrwxrwx 1 root root 28 Oct 2 |
175 |
> 12:10 98ec67f0.0 -> Thawte_Premium_Server_CA.pem lrwxrwxrwx 1 root root |
176 |
> 26 Oct 2 12:10 9e6afd31.0 -> Thawte_Timestamping_CA.pem -rw-r--r-- 1 root |
177 |
> root 833 Oct 2 12:06 Class_3_Public_Primary_Certification_Authority.pem |
178 |
> -rw-r--r-- 1 root root 1167 Oct 2 12:06 Thawte_Personal_Basic_CA.pem |
179 |
> -rw-r--r-- 1 root root 1183 Oct 2 12:06 Thawte_Personal_Freemail_CA.pem |
180 |
> -rw-r--r-- 1 root root 1175 Oct 2 12:06 Thawte_Personal_Premium_CA.pem |
181 |
> -rw-r--r-- 1 root root 1175 Oct 2 12:06 Thawte_Premium_Server_CA.pem |
182 |
> -rw-r--r-- 1 root root 1146 Oct 2 12:06 Thawte_Server_CA.pem |
183 |
> -rw-r--r-- 1 root root 992 Oct 2 12:06 Thawte_Timestamping_CA.pem |
184 |
> lrwxrwxrwx 1 root root 33 Oct 2 12:10 c089bbbd.0 -> |
185 |
> thawte_Primary_Root_CA-G2_ECC.pem lrwxrwxrwx 1 root root 15 Oct 2 12:10 |
186 |
> ec4e2774.0 -> pop.gmx.net.pem -rw-r--r-- 1 root root 1213 Oct 2 12:10 |
187 |
> pop.gmx.net.pem |
188 |
> -rw-r--r-- 1 root root 1164 Oct 2 12:06 |
189 |
> thawte_Personal_Freemail_CA.pem -rw-r--r-- 1 root root 939 Oct 2 12:06 |
190 |
> thawte_Primary_Root_CA-G2_ECC.pem -rw-r--r-- 1 root root 1493 Oct 2 12:06 |
191 |
> thawte_Primary_Root_CA.pem |
192 |
> |
193 |
> everything is world readable... |
194 |
> |
195 |
> Finally I did a fetchmail --version which gave me: |
196 |
> This is fetchmail release 6.3.17+RPA+NTLM+SDPS+SSL+NLS. |
197 |
> |
198 |
> Copyright (C) 2002, 2003 Eric S. Raymond |
199 |
> Copyright (C) 2004 Matthias Andree, Eric S. Raymond, |
200 |
> Robert M. Funk, Graham Wilson |
201 |
> Copyright (C) 2005 - 2006, 2010 Sunil Shetye |
202 |
> Copyright (C) 2005 - 2010 Matthias Andree |
203 |
> Fetchmail comes with ABSOLUTELY NO WARRANTY. This is free software, and |
204 |
> you are welcome to redistribute it under certain conditions. For details, |
205 |
> please see the file COPYING in the source or documentation directory. |
206 |
> |
207 |
> Fallback MDA: (none) |
208 |
> Linux solfire 2.6.35.7 #2 SMP PREEMPT Thu Sep 30 14:29:29 CEST 2010 |
209 |
> x86_64 AMD Phenom(tm) II X6 1090T Processor AuthenticAMD GNU/Linux Taking |
210 |
> options from command line and /home/mccramer/.fetchmailrc Idfile is |
211 |
> /home/mccramer/.fetchids |
212 |
> Fetchmail will forward misaddressed multidrop messages to mccramer. |
213 |
> Options for retrieving from Meino.Cramer@×××.de@pop.gmx.net: |
214 |
> True name of server is pop.gmx.net. |
215 |
> Protocol is POP3. |
216 |
> All available authentication methods will be tried. |
217 |
> SSL encrypted sessions enabled. |
218 |
> SSL server certificate checking enabled. |
219 |
> SSL trusted certificate directory: /etc/fetchmail/certs |
220 |
> Server nonresponse timeout is 300 seconds (default). |
221 |
> Default mailbox selected. |
222 |
> Only new messages will be retrieved (--all off). |
223 |
> Fetched messages will not be kept on the server (--keep off). |
224 |
> Old messages will not be flushed before message retrieval (--flush |
225 |
> off). Oversized messages will not be flushed before message retrieval |
226 |
> (--limitflush off). Rewrite of server-local addresses is enabled |
227 |
> (--norewrite off). Carriage-return stripping is enabled (stripcr on). |
228 |
> Carriage-return forcing is disabled (forcecr off). |
229 |
> Interpretation of Content-Transfer-Encoding is enabled (pass8bits |
230 |
> off). MIME decoding is disabled (mimedecode off). |
231 |
> Idle after poll is disabled (idle off). |
232 |
> Nonempty Status lines will be kept (dropstatus off) |
233 |
> Delivered-To lines will be kept (dropdelivered off) |
234 |
> Fetch message size limit is 100 (--fetchsizelimit 100). |
235 |
> Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4). |
236 |
> Messages will be delivered with "/usr/bin/procmail -d %T". |
237 |
> Single-drop mode: 1 local name recognized. |
238 |
> No UIDs saved from this host. |
239 |
> |
240 |
> I have no clue, whether the certs are not accepted... |
241 |
> |
242 |
> What did I wrong? |
243 |
> |
244 |
> Best regards |
245 |
> mcc |
246 |
|
247 |
Hmm ... can't see anything amiss, but as I said I have not used fetchmail. |
248 |
Perhaps a more seasoned fetchmail gentooist will chime in here. |
249 |
|
250 |
Until then three more things to check, or do: |
251 |
|
252 |
Have you installed *all* the CA root certs? |
253 |
|
254 |
(There may be some intermediate certs that are required - you will need the |
255 |
complete chain of the root certs saved in your /etc/fetchmail/certs and then |
256 |
run c_rehash. Check the atime of the contents of your /etc/fetchmail/certs to |
257 |
make sure that the c_rehash worked). |
258 |
|
259 |
Also add: |
260 |
|
261 |
sslfingerprint A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 |
262 |
|
263 |
to your fetchtmailrc. |
264 |
|
265 |
Finally, just in case the access rights are somewhat incorrect, copy your |
266 |
/etc/fetchmail/certs to ~/.fetchmail/.certs and run c_rehash for that |
267 |
directory. |
268 |
|
269 |
HTH. |
270 |
-- |
271 |
Regards, |
272 |
Mick |