fetchmail-users

[fetchmail-users] SSL Ceritficate errors in sendmail log

[Richard <rch...@aa...>]

Hi 

I am running Centos 4.4 all up to date - and using fetchmail 6.2.5 to
consolidate various email accounts. I am a recently reformed windows system
admin and use webmin to administer the centos machine.

Whenever I receive (reasonable) errors in my fetchmail log - I also get the
following warnings:

fetchmail: 6.2.5 querying pop.gmail.com (protocol POP3) at Fri Mar 16
20:50:15 2007: poll started
fetchmail: Issuer Organization: Equifax
fetchmail: Unknown Issuer CommonName
fetchmail: Server CommonName: pop.gmail.com
fetchmail: pop.gmail.com key fingerprint:
59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4
fetchmail: Warning: server certificate verification: unable to get local
issuer certificate
fetchmail: Issuer Organization: Equifax
fetchmail: Unknown Issuer CommonName
fetchmail: Server CommonName: pop.gmail.com
fetchmail: Warning: server certificate verification: certificate not trusted
fetchmail: Issuer Organization: Equifax
fetchmail: Unknown Issuer CommonName
fetchmail: Server CommonName: pop.gmail.com
fetchmail: Warning: server certificate verification: unable to verify the
first certificate
fetchmail: POP3< +OK Gpop ready for requests from 202.72.167.234
7pf2474781nzn
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< USER
fetchmail: POP3< RESP-CODES
fetchmail: POP3< EXPIRE 0
fetchmail: POP3< LOGIN-DELAY 300
fetchmail: POP3< X-GOOGLE-VERHOEVEN
fetchmail: POP3< UIDL
fetchmail: POP3< .
fetchmail: POP3> USER cha...@gm...
fetchmail: POP3< +OK send PASS
fetchmail: POP3> PASS *
fetchmail: POP3< +OK Welcome.
fetchmail: POP3> STAT
fetchmail: POP3< +OK 0 0
fetchmail: No mail for cha...@gm... at pop.gmail.com
fetchmail: POP3> QUIT
fetchmail: POP3< +OK Farewell.
fetchmail: 6.2.5 querying pop.gmail.com (protocol POP3) at Fri Mar 16
20:50:21 2007: poll completed

This appears to be telling me that the centos system does not trust Google's
certificate issuer.

I realise this may not be the best forum - but does anyone know how I can
establish the trust to avoid these warnings?

Thanks

Richard.

Re: [fetchmail-users] SSL Ceritficate errors in sendmail log

[Hannes E. <h....@gm...>]

Hi Richard,


> fetchmail: Issuer Organization: Equifax
> fetchmail: Unknown Issuer CommonName
> fetchmail: Server CommonName: pop.gmail.com
> fetchmail: pop.gmail.com key fingerprint:
> 59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4
> fetchmail: Warning: server certificate verification: unable to get local
> issuer certificate


This means fetchmail cannot find Equifax's public certificate on your 
computer.


You need to either:

1. disable the certificate chain check by specifying the certificate's 
(pop.gmail.com's) fingerprint on the account using sslfingerprint, or

2. place the (equinox root) certificate in your system's certificate 
store, usually /etc/ssl, and run c_rehash (an openssl tool) there.
It is also possible to specify another directory using sslcertpath if 
you do not want to make the root equinox certificate available to all 
your users.

HTH,
-hannes

Re: [fetchmail-users] SSL Ceritficate errors in sendmail log

[Richard <rch...@aa...>]

Thanks Hannes

I am pretty confused about how the certificate stores work in Linux. The
attached screenshot shows that firefox knows all about several Equifax
certificates on the linux machine.
1) Does firefox have a separate store?
2) Could these three certificates all be the wrong ones?
3) How do the firefox certificates get there? I didn't manually load them.
Do they come as part of the firefox pacjage?
4) If I need to manually load the Equifax certificate into openssl - do you
know where I get the Public Equifax certificate from?
5) I don't seem to have /etc/ssl. Any other guesses? How do I find out where
the store is? I'm pretty sure openssl is installed.


Thanks Hannes

Richard.




-----Original Message-----
From: fet...@li...
[mailto:fet...@li...] On Behalf Of Hannes Erven
Sent: Monday, 19 March 2007 5:59 PM
To: fet...@li...
Subject: Re: [fetchmail-users] SSL Ceritficate errors in sendmail log

Hi Richard,


> fetchmail: Issuer Organization: Equifax
> fetchmail: Unknown Issuer CommonName
> fetchmail: Server CommonName: pop.gmail.com
> fetchmail: pop.gmail.com key fingerprint:
> 59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4
> fetchmail: Warning: server certificate verification: unable to get local
> issuer certificate


This means fetchmail cannot find Equifax's public certificate on your 
computer.


You need to either:

1. disable the certificate chain check by specifying the certificate's 
(pop.gmail.com's) fingerprint on the account using sslfingerprint, or

2. place the (equinox root) certificate in your system's certificate 
store, usually /etc/ssl, and run c_rehash (an openssl tool) there.
It is also possible to specify another directory using sslcertpath if 
you do not want to make the root equinox certificate available to all 
your users.

HTH,
-hannes
_______________________________________________
fetchmail-users mailing list
fet...@li...
https://lists.berlios.de/mailman/listinfo/fetchmail-users

Re: [fetchmail-users] SSL Ceritficate errors in sendmail log

[Rob M. <rob...@gm...>]

On 3/19/07, Richard <rch...@aa...> wrote:
>
> Thanks Hannes
>
> I am pretty confused about how the certificate stores work in Linux. The
> attached screenshot shows that firefox knows all about several Equifax
> certificates on the linux machine.
> 1) Does firefox have a separate store?

Yes

> 2) Could these three certificates all be the wrong ones?
> 3) How do the firefox certificates get there? I didn't manually load them.
> Do they come as part of the firefox pacjage?

Yes

> 4) If I need to manually load the Equifax certificate into openssl - do you
> know where I get the Public Equifax certificate from?

You could export it from Firefox

> 5) I don't seem to have /etc/ssl. Any other guesses? How do I find out where
> the store is? I'm pretty sure openssl is installed.

You may still have to create the directory, or create a sym link to
it's true location (on my box I have a sym link from /etc/ssl/cert.pem
to /usr/local/share/certs/ca-cert.pem).

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

Re: [fetchmail-users] SSL Ceritficate errors in sendmail log

[Matthias A. <mat...@gm...>]

Richard schrieb:
> Thanks Hannes
> 
> I am pretty confused about how the certificate stores work in Linux. The
> attached screenshot shows that firefox knows all about several Equifax
> certificates on the linux machine.
> 1) Does firefox have a separate store?

Yes.

> 3) How do the firefox certificates get there? I didn't manually load them.
> Do they come as part of the firefox pacjage?

Some do.

> 4) If I need to manually load the Equifax certificate into openssl - do you
> know where I get the Public Equifax certificate from?

Obviously from Equifax - any decent CA provides their root certificates
for public download.

> 5) I don't seem to have /etc/ssl. Any other guesses? How do I find out where
> the store is? I'm pretty sure openssl is installed.

Check the package list and look for a subdirectory named "certs".

Oh, and please trim your quotes next time.

HTH
MA