Re: [fetchmail-users] What is a "local issuer certificate"?

[Paul E. <pel...@io...>]

On Sat, Jul 01, 2006 at 11:38:46AM +0200, Matthias Andree wrote:
> Paul Elliott <pel...@io...> writes:
> 
> > When I run fetchmail to get mail from my IMAP server
> > I get the following messages:
> >
> > fetchmail: Server certificate verification error: unable to get local issuer certificate
> > fetchmail: Server certificate verification error: certificate not trusted
> > fetchmail: Server certificate verification error: unable to verify the first certificate
> >
> >
> > My question is: what is a "local issuer certificate"?
> >
> > Is it the public key associated with my IMAP server?
> > Or is it the public key associated with my local fetchmail
> > client?
> >
> > In any case how do I create and/or get one to make the error go
> > away?
> 
> That depends. Usually the fix to is make sure that fetchmail can find
> the root certificate. Some self-signed certificates are provided without
> the signing root certificate; ask the operator of the server.
> 
> Older fetchmail versions did not set the certificate authorities' path
> properly, updating to 6.3.4 should then fix that.
> 
> As a workaround, run fetchmail with -v to see the MD5 fingerprint, call
> the server's operator to verify the fingerprint, and use the
> --sslfingerprint option. This, too, needs a recent fetchmail version to
> work properly.
> 


I am not an expert on ssl so this does not really answer my
question.

I got one certificate from the imap server at mail.io.com
by doing the following:

openssl s_client -connect mail.io.com:993 -showcerts

I then grabbed everything between the
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
inclusive and put it in io.pem in the
/home/pelliott/.ssl/certs directory

this directory also contains

ls .ssl/certs
1e49180d.0  843b6c51.0         aae0b7a3.0  eng1.pem    io.pem~
2edf7016.0  878cf4c6.0         argena.pem  eng2.pem    thawteCb.pem
56e607f4.0  Equifax-root1.pem  argeng.pem  eng3.pem    thawteCp.pem
594f1775.0  ICP-Brasil.pem     c33a80d4.0  eng4.pem    vsign1.pem
6adf0799.0  RegTP-5R.pem       cdd7aee7.0  eng5.pem    vsign3.pem
6f5d9899.0  RegTP-6R.pem       d4e39186.0  expired     vsignss.pem
7651b327.0  a3c60019.0         ddc328ff.0  f73e89fd.0  wellsfgo.pem
7a9820c1.0  aad3d04d.0         demo        io.pem

I did a "c_rehash /home/pelliott/.ssl/certs"


and the io.pem was supposed to be signed by equifax so I should
have the certificate for equifax that signed io.pem.

My .fetchmailrc looks like (with password XXXXed):

# Configuration created Mon Jun 19 10:26:45 2006 by fetchmailconf 1.52 $Revision: 4636 $
set postmaster "pelliott"
set bouncemail
set no spambounce
set properties ""
poll mail.io.com with proto IMAP
       user 'pelliott' there with password 'XXXXXXX' is 'pelliott' here sslcertpath /home/pelliott/.ssl/certs sslfingerprint "5D:1F:EF:5B:2C:C6:72:07:D4:18:D1:D3:15:8F:4F:1B"
#sslcertck

I am still getting the error message.

My question was does "local issuer certificate" refer to? The
certificate I got from the imap server at mail.io.com or
does it refer to a self signed certificate describing
my fetchmail client? How do I create/get one in any case?

The fetchmail documentation describes the --sslcert and --sslkey
parameters and how they should point to certifications and keys.

But this stuff is going to be used by a lot of ignorant people
like me, it does not tell how to get and/or create such keys.
I can't seem to figure it out.

-- 
Paul Elliott                       1(512)837-1096
pel...@io...                    PMB 181, 11900 Metric Blvd Suite J
http://www.io.com/~pelliott/pme/   Austin TX 78758-3117