Menu
▾
▴
Re: [Fetchmail-users] Constantly changing ssl fingerprints
|
From: Jerry <je...@se...> - 2015-01-25 21:23:53
|
On Sun, 25 Jan 2015 19:48:25 +0100 (CET), Martin Koeppe stated: > > Hi Jerry, > > >>>> I have several users here that use Google's "gmail". Google has > >>>> been changing their SSL certificate on a nearly monthly basis. > >>>> This causes havoc with our mail system. > >>>> > >>>> Fetchmail is configured to fetch mail from 11 different "gmail" > >>>> accounts. Each account has a different "user name" and "password". > >>>> The config line in the global fetchmailrc file read like this: > >>>> > >>>> user 'us...@gm...' there with password 'SECRET' options forcecr > >>>> dropdelivered smtpname ssl sslcertpath /usr/local/etc/postfix/certs > >>>> sslfingerprint '26:85:9C:DD:04:26:70:C2:20:0A:A0:A2:24:E4:CF:30' > > why socomplicated? I use this snippet: > > defaults: > proto pop3 timeout 300 sslproto 'TLS1' ssl > sslcertfile /usr/ssl/certs/ca-bundle.trust.crt > sslcertck > limit 50000000 warnings 86400 > > > As pop.google.com has an "official" certificate, there is no need for > a fingerprint check. Just let fetchmail know your root ca certs. I > only use sslfingerprint for self-signed certs, as an override where > root ca cert verification fails. You don't seem to use sslcertck, but > better you should. > > Martin That doesn't work here: fetchmail: Server certificate verification error: unable to get local issuer certificate fetchmail: Broken certification chain at: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please see the README.SSL-SERVER document that ships with fetchmail. fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. fetchmail: OpenSSL reported: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed fetchmail: SSL connection failed. fetchmail: socket error while fetching from ad...@se...@pop.gmail.com fetchmail: Query status=2 (SOCKET) -- Jerry |
