How to make fetchmail happy with the server’s SSL cert
Have you tried running fetchmail against a POP3S server and gotten these messages over and over?
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate
Congratulations, you are not alone. Looking around, I see a lot of people having this problem and the answers are usually not as clear as they could be. Let’s see if I can make it less clear, too.
- Make sure a recent openssl is installed and your fetchmail is linked against it, etc, etc
- Run “openssl s_client -connect pop.gmail.com:995 -showcerts” (hit enter after the output to exit)
- Cut and paste the stuff between the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” lines (inclusive) into a file pop.gmail.com.pem
- Review the rest of the output for the “issuer=” line (in this case, “Equifax Secure Certificate Authority”)
- Go here and grab the “Base-64 encoded X.509″ version of the cert for “Equifax Secure Certificate Authority”
- Rename that file with a “.pem” extension
- Make a certs directory somewhere (i.e. /usr/local/etc/fetchmail/certs) and put both files in it
- Run “c_rehash /usr/local/etc/fetchmail/certs“
- Add this to your .fetchmailrc under the “poll” section for this server: “sslcertck sslcertpath /usr/local/etc/fetchmail/certs“
- Run “fetchmail -v” and see if the warnings are gone!
You will need to do this for each server that you poll with SSL (both the server and its issuer’s PEM).
Feed Me!