Re: Strange messages by fetchmail: Server certificate verification error
On Mon, Nov 10, 2008 at 10:52:41PM -0800, Jeremy Chadwick wrote: On Tue, Nov 11, 2008 at 07:18:31AM +0100, Polytropon wrote: Secondly, this is a very, very common question on the fetchmail-users public mailing list (not at freebsd.org). Google returns hundreds of results for unable to get local issuer fetchmail. Perhaps now but it wasn't as common a couple of weeks ago when it bit me. These messages mean that the POP3+SSL or IMAP+SSL server's SSL certs cannot be verified by fetchmail. What you see are warnings, not errors, which is why fetching mail works regardless. It's recommended you fix the warnings. Yes, they were warnings that TLS failed and that it fell back to unencrypted plain password. :-( Run fetchmail -v and see precisely what the failure was and the solution. fetchmail-6.3.8_7, and a couple earlier versions (I would have to check to see when it was added), include security/ca_root_nss as a dependency. I already had that but still had the problem. That port includes a list of common public CAs which certificates (on the server) can be verified against. Running fetchmail -v I saw that I needed Equifax Secure Global eBusiness CA-1 which was apparently lacking from ca_root_nss. Downloaded from Equifax (Safari on MacOS was happy with their cert) and added them myself to /usr/local/certs. Some instructions said one must run some sort of indexing utility against the certs. I found the utility somewhere practically hidden and tried it. Generated files unlike anything I had previously. Deleted extra and everything works anyway. -- David Kelly N4HHE, [EMAIL PROTECTED] Whom computers would destroy, they must first drive mad. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Strange messages by fetchmail: Server certificate verification error
Hi, when I installed my new FreeBSD 7 system along with fetchmail-6.3.8_4, no matter what I do I get these messages: fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: No mail for foo at pop.bar.com fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: No mail for pups at pop.furz.com But message retrieval works fine. I do get them from every POP3 server I have in the list. On my older FreeBSD 5 system with fetchmai-6.2.5_2, I don't get these messages, but message retrieval works there as well - with the same configuration files (~/.fetchmailrc). How can I get rid of these messages? Is it possible *not* to use any certification, just the way the older fetchmail version seemed it to do? -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange messages by fetchmail: Server certificate verification error
On Tue, Nov 11, 2008 at 1:18 AM, Polytropon [EMAIL PROTECTED] wrote: Hi, when I installed my new FreeBSD 7 system along with fetchmail-6.3.8_4, no matter what I do I get these messages: fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: No mail for foo at pop.bar.com fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: No mail for pups at pop.furz.com But message retrieval works fine. I do get them from every POP3 server I have in the list. On my older FreeBSD 5 system with fetchmai-6.2.5_2, I don't get these messages, but message retrieval works there as well - with the same configuration files (~/.fetchmailrc). How can I get rid of these messages? Is it possible *not* to use any certification, just the way the older fetchmail version seemed it to do? IIRC, when I used fetchmail and saw similar messages, installing the 'CA Root Certificate' port did the trick. I believe it is security/ca or something similar. (Not in front of my BSD box ATM.) -- Glen Barber If you have any trouble sounding condescending, find a Unix user to show you how it's done. --Scott Adams ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange messages by fetchmail: Server certificate verification error
On Tue, Nov 11, 2008 at 07:18:31AM +0100, Polytropon wrote: when I installed my new FreeBSD 7 system along with fetchmail-6.3.8_4, no matter what I do I get these messages: fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: No mail for foo at pop.bar.com fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Server certificate verification error: certificate not trusted fetchmail: Server certificate verification error: unable to verify the first certificate fetchmail: No mail for pups at pop.furz.com But message retrieval works fine. I do get them from every POP3 server I have in the list. On my older FreeBSD 5 system with fetchmai-6.2.5_2, I don't get these messages, but message retrieval works there as well - with the same configuration files (~/.fetchmailrc). How can I get rid of these messages? Is it possible *not* to use any certification, just the way the older fetchmail version seemed it to do? First and foremost: this should have gone to freebsd-ports, because you're indirectly complaining about ports. :-) I've changed the mailing list. Secondly, this is a very, very common question on the fetchmail-users public mailing list (not at freebsd.org). Google returns hundreds of results for unable to get local issuer fetchmail. This web page may be of help: http://bronski.net/data/fetchmail-eng.php These messages mean that the POP3+SSL or IMAP+SSL server's SSL certs cannot be verified by fetchmail. What you see are warnings, not errors, which is why fetching mail works regardless. It's recommended you fix the warnings. fetchmail-6.3.8_7, and a couple earlier versions (I would have to check to see when it was added), include security/ca_root_nss as a dependency. That port includes a list of common public CAs which certificates (on the server) can be verified against. Public CA verification costs money and ultimately amounts to jack squat (they give you no added form of security) -- however, public CAs are recommended for public-facing SSL-based things (HTTPS, POP3S/IMAPS, etc.). I cannot imagine telling any of my users Oh yeah, you gotta download our self-signed cert before it'll work. The response will be What is a certificate? or Um, I have no idea what any of that means or how to do it. That said: there's a good chance the servers you're fetching mail from do not have their certificates signed by a public CA; possibly they're self-signed (by their own CA), in which case you need to download a copy of the CA and tell fetchmail about it. The server administrator should be able to discuss this with you -- talk to them. fetchmail changes severely between minor versions, which is probably why your other box running an older fetchmail does not induce this error. I'm willing to bet SSL certification verification was enabled between the two versions. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange messages by fetchmail: Server certificate verification error
On Mon, Nov 10, 2008 at 10:52:41PM -0800, Jeremy Chadwick wrote: First and foremost: this should have gone to freebsd-ports, because you're indirectly complaining about ports. :-) I've changed the mailing list. And that's what I get for being hasty. Oh well, let's keep this on -questions for now, since I've already managed to botch it up. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Strange messages by fetchmail: Server certificate verification error
On Mon, 10 Nov 2008 22:52:41 -0800, Jeremy Chadwick [EMAIL PROTECTED] wrote: First and foremost: this should have gone to freebsd-ports, because you're indirectly complaining about ports. :-) Yes, sorry I did. I didn't find anything to complain about FreeBSD in particular. :-) That said: there's a good chance the servers you're fetching mail from do not have their certificates signed by a public CA; possibly they're self-signed (by their own CA), in which case you need to download a copy of the CA and tell fetchmail about it. The server administrator should be able to discuss this with you -- talk to them. The mailserver are run by Germany's top Internet company that brings the Internet to the masses, it's the one with the twi digits and the ampersand. Quality isn't their game. :-) fetchmail changes severely between minor versions, which is probably why your other box running an older fetchmail does not induce this error. I'm willing to bet SSL certification verification was enabled between the two versions. I think so, too. Finally, I did portupgrade ca_root_nss to 3.11.9_2, now everything works as intended. So the problem is solved and I made a written note to my holy pages how this problem could be solved. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
