fetchmail-users

[Fetchmail-users] Gmail SSL cert problem

[Chris <cpo...@em...>]

Using Fetchmail to poll the Gmail pop server. It's been working great
until I noticed this today:

fetchmail: Server certificate verification error: unable to get local
issuer certificate
fetchmail: Broken certification chain at: /OU=GlobalSign Root CA -
R2/O=GlobalSign/CN=GlobalSign
fetchmail: This could mean that the server did not provide the
intermediate CA's certificate(s), which is nothing fetchmail could do
anything about.  For details, please see the README.SSL-SERVER document
that ships with fetchmail.
fetchmail: This could mean that the root CA's signing certificate is
not in the trusted CA certificate location, or that c_rehash needs to
be run on the certificate directory. For details, please see the
documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: OpenSSL reported: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
fetchmail: SSL connection failed.

As it says above, it's not a Fetchmail problem, I realize that. What I
need to do apparently is get hold of a new 'googlepop.pem certificate
which I've been googling for the past few hours and can't find it. Does
anyone have any idea where to locate a new certificate?

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
19:37:52 up 12 days, 8:39, 1 user, load average: 1.47, 1.06, 0.79
Description:	Ubuntu 16.04.3 LTS, kernel 4.10.0-40-generic

Re: [Fetchmail-users] Gmail SSL cert problem

[grarpamp <gra...@gm...>]

Maybe you changed fetchmail config, [auto] updated
or changed some OS bits or CA bundle, etc we
don't know why. Maybe G2 / G3 cert lost.
And google has been changing things too.

You can get google intermediates here
https://pki.google.com/
https://pki.goog/
https://security.googleblog.com/

Or from URL's in the server cert
openssl s_client -connect pop.gmail.com:pop3s < /dev/null
openssl x509 -text -in <certfile>

Also consider fetchmail fingerprint / certfiles options
to avoid some various types of attack.

Search these things to learn more as needed.

Re: [Fetchmail-users] Gmail SSL cert problem

[Chris <cpo...@em...>]

On Tue, 2017-12-05 at 01:42 -0500, grarpamp wrote:
> Maybe you changed fetchmail config, [auto] updated
> or changed some OS bits or CA bundle, etc we
> don't know why. Maybe G2 / G3 cert lost.
> And google has been changing things too.
> 
> You can get google intermediates here
> https://pki.google.com/
> https://pki.goog/
> https://security.googleblog.com/
> 
> Or from URL's in the server cert
> openssl s_client -connect pop.gmail.com:pop3s < /dev/null
> openssl x509 -text -in <certfile>
> 
> Also consider fetchmail fingerprint / certfiles options
> to avoid some various types of attack.
> 
> Search these things to learn more as needed.
> 
Thank you, I finally got it to working again. I went into my certs on
Firefox and exported these:

GlobalSignCloudSSLCA-SHA256-G3.crt
GlobalSignDomainValidationCA-SHA256-G2.crt
GlobalSignECCRootCA-R4.crt
GlobalSignECCRootCA-R5.crt
GlobalSignExtendedValidationCA-SHA256-G2.crt
GlobalSignOrganizationValidationCA-SHA256-G2.crt
GlobalSignRootCA-R2.crt
GlobalSignRootCA-R3.crt
GoogleInternetAuthorityG2.crt
GoogleInternetAuthorityG3.crt

and ran c_rehash ~/certs/.certs. I doubt all of the above were really
needed to fix the issue and I probably should have done one at a time
until it was fixed.

Chris

-- 
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
11:37:02 up 13 days, 38 min, 1 user, load average: 1.26, 1.24, 1.25
Description:	Ubuntu 16.04.3 LTS, kernel 4.10.0-40-generic