On 10/22/10 23:21, Joseph wrote:
I'm using fetchmail to pull mail from google but lately I've been getting this
error:
fetchmail: Server certificate verification error: unable to get local issuer
certificate
fetchmail: This means that the root signing certificate (issued for
/C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA
certificate
locations, or that c_rehash needs to be run on the certificate directory. For
details, please see the documentation of --sslcertpath and --sslcertfile in the
manual page.
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use
--sslcertck!)
I've tried to set option "sslcertck" in fetchmailrc
poll pop.gmail.com with proto POP3 and options no dns user
'syscon...@gmail.com' password 'xxxxxxxxxxx' options ssl sslcertck
but it gives me an error.
How to use this option?
--
Joseph
I used this command to obtain the certificates:
openssl s_client -connect pop.gmail.com:995 -showcerts
So I assumed the top certificate is Google
the bottom one is Equifax
Can anybody verify it? Someone suggested that the bottom one is not Equifax
certificate.
---------copy-----------------
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKFNMahgADAAASkDANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMDA0MjIyMDExMjNaFw0xMTA0MjIyMDIxMjNa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC701lFBdiiC0BB
JEo2U1wmmS6Gv+qr4bjG6xeCSgb0UGI2vN1ifYyrf/wj1jBLupou+Ds+s0zLzE5Y
vsADQvu+pkDXoOcnK2YxiOiuZaGOSRKC2b0rbg4oYyS1TogEBcX+KpUxWQNpccW6
FPzpSVtmiG4azMUIR0mM2HERnwke/wIDAQABo4IBLDCCASgwHQYDVR0OBBYEFJr4
/CBophXvQNM/AFWw8zu5EXKiMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQDETrSXXdPv8yvPZ5cR8yupyXlHzUvA5rNVFzOmBE/QCrNx
wLHDMP36+axPMWp+uraNfsc798zHES0GDgz+P97KItu8T75ysvjUUpWKeeuHcYHh
QSGi5iYB7XxEB9oCnSC9tpq8el2/mWFvVJSO69bO+zDOqgFPJ/GZYIxWgglMqA==
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA4MjA0MzI3WhcNMTMwNjA3MTk0MzI3
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFL/AMOv1QxE+Z7qekfv8atrjaxIk
MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMBIGA1UdEwEB/wQIMAYB
Af8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHde
BZqrocb6ghwYB8TrgbCoZutJqOkM0ymt9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN
0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fniisIWvXEyZ2VxVKfml
UUIuOss4jHg7y/j7lYe8vJD5UDI=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1845 bytes and written 393 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: D2227C802AE50894125E4D2BE3295D40025ABFA985C502640AF686D280B63666
Session-ID-ctx:
Master-Key:
54B347573E88624564E4ECBD278DE5F6A8DE99568C328047C3A5D7378B011384FE270752012731B00018C455FD73AF25
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 59 91 3e e9 f6 d3 78 f8-0a 17 37 d5 aa c7 2c 29 Y.>...x...7...,)
0010 - f1 5c f5 12 bc 70 38 30-eb d9 af 71 6e b9 cd 3b .\...p80...qn..;
0020 - 07 11 3a ab f8 7c 07 99-19 63 81 b7 b5 08 01 09 ..:..|...c......
0030 - 0c c2 53 c5 57 c5 b9 36-57 29 6e f7 6c df 79 6e ..S.W..6W)n.l.yn
0040 - 09 8d 61 51 c9 34 d1 e8-75 78 22 c2 52 55 a0 5b ..aQ.4..ux".RU.[
0050 - d5 e4 77 ba c5 45 33 1c-0f ea 54 84 80 93 ba 38 ..w..E3...T....8
0060 - 8b 90 27 01 f0 59 05 16-7b a0 c6 80 ef ba e5 90 ..'..Y..{.......
0070 - 54 ca b7 bd 43 49 bb 09-27 f6 ef cc 35 ca 7b f5 T...CI..'...5.{.
0080 - 47 44 17 86 5a 66 97 b9-17 bb e0 81 b9 e3 8f 25 GD..Zf.........%
0090 - bf d7 bd 9f ....
Start Time: 1287859532
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 68.148.245.78 f8pf20461688ibu.31
-ERR bad command f8pf20461688ibu.31
read:errno=0
-----------end copy---------------
--
Joseph