On Saturday 02 October 2010 11:31:38 meino.cra...@gmx.de wrote: > Hi, > > fetchmail's log told me, that there is something wrong with the setup > of the certificats. > > In the log there is the following section > fetchmail: Server certificate: > fetchmail: Issuer Organization: Thawte Consulting cc > fetchmail: Issuer CommonName: Thawte Premium Server CA > fetchmail: Subject CommonName: pop.gmx.net > fetchmail: pop.gmx.net key fingerprint: > A6:57:BC:4A:97:AD:DB:99:00:E9:3A:B8:81:55:D7:B6 fetchmail: Server > certificate verification error: unable to get local issuer certificate > fetchmail: This means that the root signing certificate (issued for > /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net) is not in the trusted > CA certificate locations, or that c_rehash needs to be run on the > certificate directory. For details, please see the documentation of > --sslcertpath and --sslcertfile in the manual page. fetchmail: Server > certificate: > fetchmail: Issuer Organization: Thawte Consulting cc > fetchmail: Issuer CommonName: Thawte Premium Server CA > fetchmail: Subject CommonName: pop.gmx.net > fetchmail: Server certificate verification error: certificate not > trusted fetchmail: Server certificate: > fetchmail: Issuer Organization: Thawte Consulting cc > fetchmail: Issuer CommonName: Thawte Premium Server CA > fetchmail: Subject CommonName: pop.gmx.net > fetchmail: Server certificate verification error: unable to verify the > first certificate fetchmail: Warning: the connection is insecure, > continuing anyways. (Better use --sslcertck!) > > > In beforehand I did the following: > > From the output of this command > #> openssl s_client -connect pop.gmx.net:995 -showcerts > > I copied the section > > -----BEGIN CERTIFICATE----- > MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB > zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ > Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE > CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh > d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl > cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow > WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo > MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ > KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j > k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH > YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l > Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax > hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy > bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk > MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB > BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc > yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX > jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ > -----END CERTIFICATE----- > > into a file "pop.gmx.net.pem" and copied ths file into > /etc/fetchmail/certs > > Than I downloaded the whole package of root certificates from here > https://www.verisign.com/support/thawte-roots.zip > unpacked it and copied each *.pem file into /etc/fetchmail/certs also. > I renamend the files to not to contain blanks with detox. > > > Then I run as root the command > $> c_rehash /etc/fetchmail/certs > > I checked /etc/fetchmail/certs and found all files being symlinked to > something which looks like hash keys (?). > > c_hash does not submit any error message. > > After this I added below the poll section of my accounts > $HOME/.fetchmailrc the following line: > > sslcertpath /etc/fetchmail/certs > > Nonetheless fetchmail complains about local certifcates. > > What do I have to do to fix this ? > > Best regards and thank you for any help in advance! > mcc
Sendmail and I think fetchmail (haven't used the latter yet) do a strict check of certs against a local store. The error above tells you to add to your .fetchmailrc the option of sslcertck. Did you do that? So your .fetchmailrc should show something like: user 'm...@gmx_whatever.com' with pass "123456" is 'mcc' here options ssl sslcertck sslcertpath '/etc/fetchmail/certs' If you have done the above and still does not work then the problem may be that the user you are running fetchmail as does not have read access to your /etc/fetchmail/certs. Change that to a ~/fetchmail/.certs and it should work. HTH. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
