Menu
▾
▴
fetchmail-users
|
From: Andy M. <an...@oa...> - 2008-09-12 18:10:45
|
Hello All,
I'm currently trying to get fetchmail release 6.3.8+SSL+HESIOD+NLS
working but am running into problems with SSL certificate verification.
The version of OpenSSL I am using is OpenSSL 0.9.8d on RHEL 4.
I have specified the following options in my config file :
poll mymailhost proto pop3 uidl no dns
user mailuser
sslcertck sslcertpath /usr/share/ssl/certs
When I invoke fetchmail, I get the following :
Enter password for mailuser@mymailhost:
fetchmail: 6.3.8 querying mymailhost (protocol POP3) at Fri Sep 12
10:59:10 2008: poll started
Trying to connect to 10.0.0.17/995...connected.
fetchmail: Server certificate verification error: unable to get local
issuer certificate
29071:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:843:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from mailuser@mymailhost
fetchmail: 6.3.8 querying mymailhost (protocol POP3) at Fri Sep 12
10:59:10 2008: poll completed
fetchmail: Query status=2 (SOCKET)
fetchmail: normal termination, status 2
If I remove the sslcertck option, things work fine.
If I run :
openssl s_client -connect mymailhost:993 -CApath /usr/share/ssl/certs
Things appear to be OK, i.e., The SSL Handshake completes ok with Verify
return code of 0.
---
No client certificate CA names sent
---
SSL handshake has read 3444 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
00230000FEE53D7423C28619FDCF68290F4EAE2085FB2CEC0EC81A9E329B883D
Session-ID-ctx:
Master-Key:
60818B7C1768717DD3E919C45A9B9D847196BBAD212C56C83E8A664931E5AA8A1EFFC537EFB4BDBC502AF87D0AC91185
Key-Arg : None
Krb5 Principal: None
Start Time: 1221231692
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Any ideas of input one may provide will be greatly appreciated.
Thanks,
---Andy
|
|
From: Tim J. <ti...@ak...> - 2011-10-16 23:58:15
|
FYI: Linux user, setting up on Mac Lion (Darwin Kernel Version 11.2.0). Comfortable with command line, but not a virtuoso, new to Mac. When attempting to fetch mail for pop.gmail.com the following error messages are generated : #################################################################### fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: This means that the root signing certificate (issued for /C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. fetchmail: Certificate/fingerprint verification was somehow skipped! fetchmail: SSL connection failed. fetchmail: socket error while fetching from tim...@po... fetchmail: 6.3.18 querying pop.gmail.com (protocol POP3) at Sun, 16 Oct 2011 10:20:39 -0800 (AKDT): poll completed fetchmail: Query status=2 (SOCKET) #################################################################### cert files are in /Users/tim/.certs Two files were created from openssl s_client -connect pop.gmail.com:995 -showcerts 1)gmail.pem = google cert 2)equifax.pem = equifax cert c_rehash was run after certificates were installed. permissions : cert files are 644 tim:staff cert directory is 755 Polling code in .fetchmailrc is poll pop.gmail.com with proto POP3 user '*********' there with password '******' is 'tim' here mda "/usr/bin/procmail" options ssl sslcertck sslcertpath /Users/tim/.certs Entry from fetchmail -V : ##################################################################################### Options for retrieving from *********@pop.gmail.com: True name of server is pop.gmail.com. Protocol is POP3. All available authentication methods will be tried. SSL encrypted sessions enabled. SSL server certificate checking enabled. SSL trusted certificate directory: /Users/tim/.certs Server nonresponse timeout is 300 seconds (default). Default mailbox selected. Only new messages will be retrieved (--all off). Fetched messages will not be kept on the server (--keep off). Old messages will not be flushed before message retrieval (--flush off). Oversized messages will not be flushed before message retrieval (--limitflush off). Rewrite of server-local addresses is enabled (--norewrite off). Carriage-return stripping is enabled (stripcr on). Carriage-return forcing is disabled (forcecr off). Interpretation of Content-Transfer-Encoding is enabled (pass8bits off). MIME decoding is disabled (mimedecode off). Idle after poll is disabled (idle off). Nonempty Status lines will be kept (dropstatus off) Delivered-To lines will be kept (dropdelivered off) Fetch message size limit is 100 (--fetchsizelimit 100). Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4). Messages will be delivered with "/usr/bin/procmail". Single-drop mode: 1 local name recognized. No UIDs saved from this host. I'm not new to fetchmail, but I haven't done any config in years. Please advise thanks -- Tim tim at tee jay forty nine dot com or akwebsoft dot com http://www.akwebsoft.com |
|
From: Matthias A. <mat...@gm...> - 2011-10-17 21:56:03
|
Am 16.10.2011 23:51, schrieb Tim Johnson: > FYI: Linux user, setting up on Mac Lion (Darwin Kernel Version > 11.2.0). Comfortable with command line, but not a virtuoso, new to > Mac. > > When attempting to fetch mail for pop.gmail.com the following error > messages are generated : > #################################################################### > fetchmail: Server certificate verification error: unable to get local issuer > certificate fetchmail: This means that the root signing certificate (issued for > /C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA > certificate locations, or that c_rehash needs to be run on the certificate > directory. For details, please see the documentation of --sslcertpath and > --sslcertfile in the manual page. fetchmail: Certificate/fingerprint > verification was somehow skipped! fetchmail: SSL connection failed. > fetchmail: socket error while fetching from tim...@po... fetchmail: > 6.3.18 querying pop.gmail.com (protocol POP3) at Sun, 16 Oct 2011 10:20:39 > -0800 (AKDT): poll completed fetchmail: Query status=2 (SOCKET) > #################################################################### > cert files are in /Users/tim/.certs > Two files were created from > openssl s_client -connect pop.gmail.com:995 -showcerts > 1)gmail.pem = google cert > 2)equifax.pem = equifax cert > c_rehash was run after certificates were installed. > permissions : > cert files are 644 tim:staff > cert directory is 755 In whichever dark corner of the Internet you found instructions to download certificates that way, it is wrong, dangerous, and must not be done. Please install your distribution's ca-certificates or nss_root_ca package (or however it's named), and point fetchmail there. I'm not sure where to get those on Macs, MacPorts, or Fink, wherever. Oh, and it's the first time ever I've seen "Certificate/fingerprint verification was somehow skipped" trigger in the wild. > > Polling code in .fetchmailrc is > > poll pop.gmail.com with proto POP3 user '*********' there with > password '******' is 'tim' here mda "/usr/bin/procmail" options ssl > sslcertck sslcertpath /Users/tim/.certs Basically you need to download the Equifax root certificate SEPARATELY with your browser through a trusted https:// connection (_not_ with gnutls-cli, openssl, or similar tools!) and put that into /Users/tim/.certs - and be sure it's named something with .pem suffix. Then re-run c_rehash, and see if that helps. Note your fetchmail version is outdated and should not be used. Update to 6.3.21 instead. |
|
From: Tim J. <ti...@ak...> - 2011-10-18 00:23:32
|
* Matthias Andree <mat...@gm...> [111017 12:10]: > > Basically you need to download the Equifax root certificate SEPARATELY > with your browser through a trusted https:// connection (_not_ with > gnutls-cli, openssl, or similar tools!) and put that into > /Users/tim/.certs - and be sure it's named something with .pem suffix. > Then re-run c_rehash, and see if that helps. I had created certificates different from the ones on my linux box. I solved this (for gmail) by copying over the .certs directory from my linux box. > Note your fetchmail version is outdated and should not be used. Update > to 6.3.21 instead. I am mindful of your instructions. With SSL enabled on this fetchmail, it is also complaining about certificates for other mail servers that I use. thank you -- Tim tim at tee jay forty nine dot com or akwebsoft dot com http://www.akwebsoft.com |
|
From: Matthias A. <mat...@gm...> - 2011-10-18 23:18:04
|
Am 18.10.2011 00:24, schrieb Tim Johnson: > * Matthias Andree <mat...@gm...> [111017 12:10]: >> >> Basically you need to download the Equifax root certificate SEPARATELY >> with your browser through a trusted https:// connection (_not_ with >> gnutls-cli, openssl, or similar tools!) and put that into >> /Users/tim/.certs - and be sure it's named something with .pem suffix. >> Then re-run c_rehash, and see if that helps. > I had created certificates different from the ones on my linux box. > I solved this (for gmail) by copying over the .certs directory from > my linux box. Be sure to re-run c_rehash. Your Mac may be using a different OpenSSL version, and thus a different hash function, than Linux. >> Note your fetchmail version is outdated and should not be used. Update >> to 6.3.21 instead. > I am mindful of your instructions. With SSL enabled on this > fetchmail, it is also complaining about certificates for other mail > servers that I use. Be sure to put the certificates of the root signing certification authority into said directory, and be sure to run a matching c_rehash command. Failing proper hashing, try concatenating the BASE64/.PEM files to one (these are plain text files with -----BEGIN CERTIFICATE----- and matching end lines and ASCII stuff in between), and pass it to --sslcertfile (needs a somewhat recent fetchmail). |
|
From: Matthias A. <mat...@gm...> - 2008-09-12 18:23:43
|
Andy Malato schrieb: > Hello All, > > > I'm currently trying to get fetchmail release 6.3.8+SSL+HESIOD+NLS > working but am running into problems with SSL certificate verification. > > The version of OpenSSL I am using is OpenSSL 0.9.8d on RHEL 4. > > > I have specified the following options in my config file : > > poll mymailhost proto pop3 uidl no dns > user mailuser > sslcertck sslcertpath /usr/share/ssl/certs > > When I invoke fetchmail, I get the following : > > Enter password for mailuser@mymailhost: > fetchmail: 6.3.8 querying mymailhost (protocol POP3) at Fri Sep 12 > 10:59:10 2008: poll started > Trying to connect to 10.0.0.17/995...connected. > fetchmail: Server certificate verification error: unable to get local > issuer certificate > 29071:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:s3_clnt.c:843: ... > If I remove the sslcertck option, things work fine. > > > If I run : > > openssl s_client -connect mymailhost:993 -CApath /usr/share/ssl/certs > > Things appear to be OK, i.e., The SSL Handshake completes ok with Verify > return code of 0. Do you get the same results with "-verify 5" here? Did you run c_rehash /usr/share/ssl/certs after installing any certificates? Is your RHEL fully patched? HTH -- Matthias Andree |
|
From: Andy M. <an...@oa...> - 2008-09-12 19:50:43
|
! Date: Fri, 12 Sep 2008 18:23:39 +0200 ! From: Matthias Andree <mat...@gm...> ! To: fet...@li... ! Subject: Re: [fetchmail-users] unable to get local issuer certificate ! ! Andy Malato schrieb: ! > Hello All, ! > ! > ! > I'm currently trying to get fetchmail release 6.3.8+SSL+HESIOD+NLS ! > working but am running into problems with SSL certificate verification. ! > ! > The version of OpenSSL I am using is OpenSSL 0.9.8d on RHEL 4. ! > ! > ! > I have specified the following options in my config file : ! > ! > poll mymailhost proto pop3 uidl no dns ! > user mailuser ! > sslcertck sslcertpath /usr/share/ssl/certs ! > ! > When I invoke fetchmail, I get the following : ! > ! > Enter password for mailuser@mymailhost: ! > fetchmail: 6.3.8 querying mymailhost (protocol POP3) at Fri Sep 12 ! > 10:59:10 2008: poll started ! > Trying to connect to 10.0.0.17/995...connected. ! > fetchmail: Server certificate verification error: unable to get local ! > issuer certificate ! > 29071:error:14090086:SSL ! > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify ! > failed:s3_clnt.c:843: ! ... ! > If I remove the sslcertck option, things work fine. ! > ! > ! > If I run : ! > ! > openssl s_client -connect mymailhost:993 -CApath /usr/share/ssl/certs ! > ! > Things appear to be OK, i.e., The SSL Handshake completes ok with Verify ! > return code of 0. ! ! Do you get the same results with "-verify 5" here? Yes ! Did you run c_rehash /usr/share/ssl/certs after installing any certificates? Yes ! ! Is your RHEL fully patched? Yes ! ! HTH ! ! -- ! Matthias Andree ! ! _______________________________________________ ! fetchmail-users mailing list ! fet...@li... ! https://lists.berlios.de/mailman/listinfo/fetchmail-users ! |
|
From: Matthias A. <mat...@gm...> - 2008-09-14 16:05:16
|
Andy Malato <an...@oa...> writes: > ! Date: Fri, 12 Sep 2008 18:23:39 +0200 > ! From: Matthias Andree <mat...@gm...> > ! To: fet...@li... > ! Subject: Re: [fetchmail-users] unable to get local issuer certificate > ! > ! Andy Malato schrieb: > ! > Hello All, > ! > > ! > > ! > I'm currently trying to get fetchmail release 6.3.8+SSL+HESIOD+NLS > ! > working but am running into problems with SSL certificate verification. > ! > > ! > The version of OpenSSL I am using is OpenSSL 0.9.8d on RHEL 4. > ! > > ! > > ! > I have specified the following options in my config file : > ! > > ! > poll mymailhost proto pop3 uidl no dns > ! > user mailuser > ! > sslcertck sslcertpath /usr/share/ssl/certs > ! > > ! > When I invoke fetchmail, I get the following : > ! > > ! > Enter password for mailuser@mymailhost: > ! > fetchmail: 6.3.8 querying mymailhost (protocol POP3) at Fri Sep 12 > ! > 10:59:10 2008: poll started > ! > Trying to connect to 10.0.0.17/995...connected. > ! > fetchmail: Server certificate verification error: unable to get local > ! > issuer certificate > ! > 29071:error:14090086:SSL > ! > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > ! > failed:s3_clnt.c:843: > ! ... > ! > If I remove the sslcertck option, things work fine. > ! > > ! > > ! > If I run : > ! > > ! > openssl s_client -connect mymailhost:993 -CApath /usr/share/ssl/certs > ! > > ! > Things appear to be OK, i.e., The SSL Handshake completes ok with Verify > ! > return code of 0. Given the three tests pass, I find this strange. Can you run: strace -e trace=file fetchmail -d0 --nodetach -vv and see if it misses files it tries to open? -- Matthias Andree |
|
From: Andy M. <an...@oa...> - 2008-09-26 21:26:19
|
! Date: Sun, 14 Sep 2008 16:05:11 +0200
! From: Matthias Andree <mat...@gm...>
! To: Andy Malato <an...@oa...>
! Cc: fet...@li...
! Subject: Re: [fetchmail-users] unable to get local issuer certificate
!
! Andy Malato <an...@oa...> writes:
!
! > ! Date: Fri, 12 Sep 2008 18:23:39 +0200
! > ! From: Matthias Andree <mat...@gm...>
! > ! To: fet...@li...
! > ! Subject: Re: [fetchmail-users] unable to get local issuer certificate
! > !
! > ! Andy Malato schrieb:
! > ! > Hello All,
! > ! >
! > ! >
! > ! > I'm currently trying to get fetchmail release 6.3.8+SSL+HESIOD+NLS
! > ! > working but am running into problems with SSL certificate verification.
! > ! >
! > ! > The version of OpenSSL I am using is OpenSSL 0.9.8d on RHEL 4.
! > ! >
! > ! >
! > ! > I have specified the following options in my config file :
! > ! >
! > ! > poll mymailhost proto pop3 uidl no dns
! > ! > user mailuser
! > ! > sslcertck sslcertpath /usr/share/ssl/certs
! > ! >
! > ! > When I invoke fetchmail, I get the following :
! > ! >
! > ! > Enter password for mailuser@mymailhost:
! > ! > fetchmail: 6.3.8 querying mymailhost (protocol POP3) at Fri Sep 12
! > ! > 10:59:10 2008: poll started
! > ! > Trying to connect to 10.0.0.17/995...connected.
! > ! > fetchmail: Server certificate verification error: unable to get local
! > ! > issuer certificate
! > ! > 29071:error:14090086:SSL
! > ! > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
! > ! > failed:s3_clnt.c:843:
! > ! ...
! > ! > If I remove the sslcertck option, things work fine.
! > ! >
! > ! >
! > ! > If I run :
! > ! >
! > ! > openssl s_client -connect mymailhost:993 -CApath /usr/share/ssl/certs
! > ! >
! > ! > Things appear to be OK, i.e., The SSL Handshake completes ok with Verify
! > ! > return code of 0.
!
! Given the three tests pass, I find this strange. Can you run:
!
! strace -e trace=file fetchmail -d0 --nodetach -vv
!
! and see if it misses files it tries to open?
Thanks, and sorry for the delayed reply. I have listed the output of
strace below. From what I can see, it seems to be looking for
ed524cf5.1 which doesn't exist. I'm not sure why it is looking for
this?
yellow-92 certs>: strace -e trace=file fetchmail -d0 --nodetach -vv
execve("/usr/local/bin/fetchmail", ["fetchmail", "-d0", "--nodetach", "-vv"], [/* 39 vars */]) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/usr/lib64/libhesiod.so.0", O_RDONLY) = 3
open("/lib64/libcrypt.so.1", O_RDONLY) = 3
open("/lib64/libresolv.so.2", O_RDONLY) = 3
open("/lib64/libssl.so.4", O_RDONLY) = 3
open("/lib64/libcrypto.so.4", O_RDONLY) = 3
open("/lib64/tls/libc.so.6", O_RDONLY) = 3
open("/usr/lib64/libgssapi_krb5.so.2", O_RDONLY) = 3
open("/usr/lib64/libkrb5.so.3", O_RDONLY) = 3
open("/lib64/libcom_err.so.2", O_RDONLY) = 3
open("/usr/lib64/libk5crypto.so.3", O_RDONLY) = 3
open("/lib64/libdl.so.2", O_RDONLY) = 3
open("/usr/lib64/libz.so.1", O_RDONLY) = 3
open("/etc/nsswitch.conf", O_RDONLY) = 3
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib64/libnss_files.so.2", O_RDONLY) = 3
open("/etc/passwd", O_RDONLY) = 3
open("/etc/passwd", O_RDONLY) = 3
stat("/home/guest23/.fetchmailrc", {st_mode=S_IFREG|0710, st_size=255, ...}) = 0
lstat("/home/guest23/.fetchmailrc", {st_mode=S_IFREG|0710, st_size=255, ...}) = 0
open("/home/guest23/.fetchmailrc", O_RDONLY) = 3
open("/etc/passwd", O_RDONLY) = 3
lstat("/home/guest23/.fetchids", {st_mode=S_IFREG|0600, st_size=239, ...}) = 0
lstat("/home/guest23/.fetchids", {st_mode=S_IFREG|0600, st_size=239, ...}) = 0
open("/home/guest23/.fetchids", O_RDONLY) = 3
Old UID list from mymailhost: 9 10 11 12 13 14 15 16 17 18 <empty>
Scratch list of UIDs: <empty>
open("/home/guest23/.netrc", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/home/guest23/.fetchmail.pid", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/dev/tty", O_RDWR) = 3
Enter password for tpine@mymailhost:
open("/home/guest23/.fetchmail.pid", O_WRONLY|O_CREAT|O_EXCL, 0666) = 3
stat("/home/guest23/.fetchmailrc", {st_mode=S_IFREG|0710, st_size=255, ...}) = 0
open("/etc/resolv.conf", O_RDONLY) = 3
open("/etc/localtime", O_RDONLY) = 3
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0
fetchmail: 6.3.8 querying mymailhost (protocol POP3) at Fri Sep 26 15:13:52 2008: poll started
open("/etc/services", O_RDONLY) = 3
open("/etc/hosts", O_RDONLY) = 3
open("/etc/hosts", O_RDONLY) = 3
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib64/libnss_dns.so.2", O_RDONLY) = 3
Trying to connect to 128.235.208.17/995...connected.
stat("/dev/random", {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 8), ...}) = 0
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 4
stat("/usr/share/ssl/certs/ed524cf5.0", {st_mode=S_IFREG|0644, st_size=2516, ...}) = 0
open("/usr/share/ssl/certs/ed524cf5.0", O_RDONLY) = 4
stat("/usr/share/ssl/certs/ed524cf5.1", 0x7fbfffa830) = -1 ENOENT (No such file or directory)
fetchmail: Server certificate verification error: unable to get local issuer certificate
30773:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:843:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from tpine@mymailhost
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1267, ...}) = 0
fetchmail: 6.3.8 querying mymailhost (protocol POP3) at Fri Sep 26 15:13:52 2008: poll completed
Merged UID list from mymailhost: 9 = 1 10 = 1 11 = 1 12 = 1 13 = 1 14 = 1 15 = 1 16 = 1 17 = 1 18 = 1 <empty>
fetchmail: Query status=2 (SOCKET)
fetchmail: Writing fetchids file.
unlink("/home/guest23/.fetchids_") = -1 ENOENT (No such file or directory)
open("/home/guest23/.fetchids_", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
rename("/home/guest23/.fetchids_", "/home/guest23/.fetchids") = 0
fetchmail: normal termination, status 2
fetchmail: Writing fetchids file.
unlink("/home/guest23/.fetchids_") = -1 ENOENT (No such file or directory)
open("/home/guest23/.fetchids_", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3
rename("/home/guest23/.fetchids_", "/home/guest23/.fetchids") = 0
unlink("/home/guest23/.fetchmail.pid") = 0
yellow-93 certs>:
! --
! Matthias Andree
!
|
