How to make fetchmail happy with the server’s SSL cert

June 29, 2007

Have you tried running fetchmail against a POP3S server and gotten these messages over and over?

fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

Congratulations, you are not alone. Looking around, I see a lot of people having this problem and the answers are usually not as clear as they could be. Let’s see if I can make it less clear, too.

  1. Make sure a recent openssl is installed and your fetchmail is linked against it, etc, etc
  2. Run “openssl s_client -connect pop.gmail.com:995 -showcerts” (hit enter after the output to exit)
    Cut and paste the stuff between the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” lines (inclusive) into a file pop.gmail.com.pem
    Review the rest of the output for the “issuer=” line (in this case, “Equifax Secure Certificate Authority”)
    Go here and grab the “Base-64 encoded X.509” version of the cert for “Equifax Secure Certificate Authority”
    Rename that file with a “.pem” extension
    Make a certs directory somewhere (i.e. /usr/local/etc/fetchmail/certs) and put both files in it
    Run “c_rehash /usr/local/etc/fetchmail/certs”
    Add this to your .fetchmailrc under the “poll” section for this server: “sslcertck sslcertpath /usr/local/etc/fetchmail/certs”
    Run “fetchmail -v” and see if the warnings are gone!

    You will need to do this for each server that you poll with SSL (both the server and its issuer’s PEM).

    Advertisements