Menu
▾
▴
Re: [Fetchmail-users] Constantly changing ssl fingerprints
|
From: Matthias A. <mat...@gm...> - 2015-01-26 00:58:27
|
Am 25.01.2015 um 22:23 schrieb Jerry: >> As pop.google.com has an "official" certificate, there is no need for >> a fingerprint check. Just let fetchmail know your root ca certs. I >> only use sslfingerprint for self-signed certs, as an override where >> root ca cert verification fails. You don't seem to use sslcertck, but >> better you should. >> >> Martin > > That doesn't work here: > > fetchmail: Server certificate verification error: unable to get local issuer certificate > fetchmail: Broken certification chain at: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please see the README.SSL-SERVER document that ships with fetchmail. > fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. > fetchmail: OpenSSL reported: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > fetchmail: SSL connection failed. > fetchmail: socket error while fetching from ad...@se...@pop.gmail.com > fetchmail: Query status=2 (SOCKET) Martin's proposal is the same I'd have made: 1. add sslcertck 2. remove sslfingerprint + the hash. You need the root certificates installed locally. Many distributions package Mozilla's certificate package for OpenSSL, but the various distros have various names for the package, so there isn't a one-stop solution. ca-certificates, ca_root_nss are packages that Ubuntu and FreeBSD offer. Some distributions require you to select which certificates you want to install into the trust store. Some info is in <http://www.fetchmail.info/fetchmail-FAQ.html#K5> but I haven't tried it recently, so I'm not sure if it applies. Let me know if it does not so that I can revise or remove that. And you also need up to date versions of fetchmail and OpenSSL. There used to lurk bugs in older versions of both. Tell us your distro and version, and chances are that someone knows what packages you need to install and perhaps configure and responds to the list. |
