Menu
▾
▴
Re: [fetchmail-users] unable to get local issuer certificate
|
From: Matthias A. <mat...@gm...> - 2011-10-17 21:56:03
|
Am 16.10.2011 23:51, schrieb Tim Johnson: > FYI: Linux user, setting up on Mac Lion (Darwin Kernel Version > 11.2.0). Comfortable with command line, but not a virtuoso, new to > Mac. > > When attempting to fetch mail for pop.gmail.com the following error > messages are generated : > #################################################################### > fetchmail: Server certificate verification error: unable to get local issuer > certificate fetchmail: This means that the root signing certificate (issued for > /C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA > certificate locations, or that c_rehash needs to be run on the certificate > directory. For details, please see the documentation of --sslcertpath and > --sslcertfile in the manual page. fetchmail: Certificate/fingerprint > verification was somehow skipped! fetchmail: SSL connection failed. > fetchmail: socket error while fetching from tim...@po... fetchmail: > 6.3.18 querying pop.gmail.com (protocol POP3) at Sun, 16 Oct 2011 10:20:39 > -0800 (AKDT): poll completed fetchmail: Query status=2 (SOCKET) > #################################################################### > cert files are in /Users/tim/.certs > Two files were created from > openssl s_client -connect pop.gmail.com:995 -showcerts > 1)gmail.pem = google cert > 2)equifax.pem = equifax cert > c_rehash was run after certificates were installed. > permissions : > cert files are 644 tim:staff > cert directory is 755 In whichever dark corner of the Internet you found instructions to download certificates that way, it is wrong, dangerous, and must not be done. Please install your distribution's ca-certificates or nss_root_ca package (or however it's named), and point fetchmail there. I'm not sure where to get those on Macs, MacPorts, or Fink, wherever. Oh, and it's the first time ever I've seen "Certificate/fingerprint verification was somehow skipped" trigger in the wild. > > Polling code in .fetchmailrc is > > poll pop.gmail.com with proto POP3 user '*********' there with > password '******' is 'tim' here mda "/usr/bin/procmail" options ssl > sslcertck sslcertpath /Users/tim/.certs Basically you need to download the Equifax root certificate SEPARATELY with your browser through a trusted https:// connection (_not_ with gnutls-cli, openssl, or similar tools!) and put that into /Users/tim/.certs - and be sure it's named something with .pem suffix. Then re-run c_rehash, and see if that helps. Note your fetchmail version is outdated and should not be used. Update to 6.3.21 instead. |
