How to make fetchmail happy with the server’s SSL cert

Have you tried running fetchmail against a POP3S server and gotten these messages over and over?

fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

Congratulations, you are not alone. Looking around, I see a lot of people having this problem and the answers are usually not as clear as they could be. Let’s see if I can make it less clear, too.

  1. Make sure a recent openssl is installed and your fetchmail is linked against it, etc, etc
  2. Run “openssl s_client -connect pop.gmail.com:995 -showcerts” (hit enter after the output to exit)
    Cut and paste the stuff between the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” lines (inclusive) into a file pop.gmail.com.pem
    Review the rest of the output for the “issuer=” line (in this case, “Equifax Secure Certificate Authority”)
    Go here and grab the “Base-64 encoded X.509” version of the cert for “Equifax Secure Certificate Authority”
    Rename that file with a “.pem” extension
    Make a certs directory somewhere (i.e. /usr/local/etc/fetchmail/certs) and put both files in it
    Run “c_rehash /usr/local/etc/fetchmail/certs”
    Add this to your .fetchmailrc under the “poll” section for this server: “sslcertck sslcertpath /usr/local/etc/fetchmail/certs”
    Run “fetchmail -v” and see if the warnings are gone!

    You will need to do this for each server that you poll with SSL (both the server and its issuer’s PEM).

    Advertisements

10 Responses to How to make fetchmail happy with the server’s SSL cert

  1. MLe56 says:

    Thank you for this tip. But I don’t understand what must I insert in the second file. In your example I get:

    ….
    Server certificate
    subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
    issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

    No client certificate CA names sent

    SSL handshake has read 883 bytes and written 318 bytes

    New, TLSv1/SSLv3, Cipher is RC4-MD5
    Server public key is 1024 bit
    …..

    Which lines should I insert in the secon file?

    Matthias

    Like

  2. superbodoh says:

    u can add ca-certificates package :apt-get install ca-certificates

    fetchmail: Server certificate verification error: unable to get local issuer certificate

    it means u’r box doesn’t have the root certificates needed to verify whether the other side certificates are correct (in this case the Equifax root certificates)

    and don’t forget create the simbolic link

    c_rehash /path/to/pem/folder/

    Like

  3. I got success in first step of creating pem file from Begin Certificate and end certificate Lines. But i did not understood your secong step of grab the “Base-64 encoded X.509″. Could you please help me on this as my ISP is using its own certificate.

    Thanks.

    Like

  4. greenpossum says:

    On my system (openSUSE 11.3, but probably others too), I added pop.gmail.com.pem to /etc/ssl/certs and did a c_rehash on that directory. The Equifax CA cert is already in that directory. Then I told fetchmail to use that cert directory.

    The disadvantage of using /etc/ssl/certs is that you have to remember to readd gmail’s cert if you ever reinstall your OS.

    Like

  5. Gorge7777 says:

    The solution at this URL is cleaner and works without having to modify fetchmail.
    http://blog.sandipb.net/2009/08/08/adding-new-ca-certificates-in-ubuntu-jaunty/

    Like

  6. LF says:

    Thank you. This is just what I was looking for. It worked very nicely.

    I get around the problem of “/usr/local/etc” being wiped out when I install a new Linux distribution as follows:
    (a) My “/home” directory is on it’s own partition.
    (b) I’ve created “/home/usr/local” containing, among other directories, “etc”.
    (c) I link “/home/usr/local/etc” to “/usr/local/etc”, that is, “/usr/local/etc -> /home/usr/local/etc”.
    (d) Then, whenever I install a new Linux distribution on another partition, I make sure to create the links in “/usr/local” and away I go.

    Like

  7. Postfix & Dovecot: selbstsignierte SSL Zertifikate erstellen

    Ein Jahr ist um und ich hab mir immer noch kein vernünftiges Zertifikat zugelegt, also müssen wohl wieder die selbstsignierten Certs herhalten. Damit ich bis zum nächsten mal nicht wieder vergesse, was ich getan habe, hab ich das ganze mal in diesem Ar…

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: