How to make fetchmail happy with the server’s SSL cert

Have you tried running fetchmail against a POP3S server and gotten these messages over and over?

fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

Congratulations, you are not alone. Looking around, I see a lot of people having this problem and the answers are usually not as clear as they could be. Let’s see if I can make it less clear, too.

1. Make sure a recent openssl is installed and your fetchmail is linked against it, etc, etc
2. Run “openssl s_client -connect pop.gmail.com:995 -showcerts” (hit enter after the output to exit)
   Cut and paste the stuff between the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” lines (inclusive) into a file pop.gmail.com.pem
   Review the rest of the output for the “issuer=” line (in this case, “Equifax Secure Certificate Authority”)
   Go here and grab the “Base-64 encoded X.509” version of the cert for “Equifax Secure Certificate Authority”
   Rename that file with a “.pem” extension
   Make a certs directory somewhere (i.e. /usr/local/etc/fetchmail/certs) and put both files in it
   Run “c_rehash /usr/local/etc/fetchmail/certs”
   Add this to your .fetchmailrc under the “poll” section for this server: “sslcertck sslcertpath /usr/local/etc/fetchmail/certs”
   Run “fetchmail -v” and see if the warnings are gone!

   You will need to do this for each server that you poll with SSL (both the server and its issuer’s PEM).