Menu
▾
▴
Re: [Fetchmail-users] 6.4.1 won't fetch mail from gmail; 6.3.26 does - root CA's signing certificate is not in the trusted CA certificate location
|
From: Matthias A. <mat...@gm...> - 2019-09-30 18:55:36
|
Am 30.09.19 um 04:35 schrieb rus...@gm...: > Beginning with 6.4.1, when I fetch mail from my gmail account, > I get: > > fetchmail: Server certificate verification error: unable to get local issuer certificate > fetchmail: Broken certification chain at: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign > fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please > see the README.SSL-SERVER document that ships with fetchmail. > fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. > fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed > fetchmail: pop.gmail.com: SSL connection failed. > fetchmail: socket error while fetching from Fak...@po... > fetchmail: Query status=2 (SOCKET) > > > I went back to 6.3.26, which works. Linux (kernel 5.3.1), > Slackware (updated daily), 64-bit, OpenSSL 1.1.1d 10 Sep 2019 > > Feel free to tell me it's all my fault. Russell, thanks for building that bridge. Let's be a bit more constructive so people will find this, and I've amended to the Subject line, too. The thing is that "the root CA's signing certificate is not in the trusted CA certificate location" as the error messages states, and you need to fix that. fetchmail 6.3.26 did not verify the certificate in your configuration, and I made fetchmail 6.4 do that by default (i. e. as if --sslcertck were added). I guess if you add --sslcertck to fetchmail 6.3.26's command line, it will fail, too - if it doesn't then the builds use differing OpenSSL libraries or configurations. Many "major" Linux distributions have packages of Mozilla's trusted certificates, and slackware's appears to be named "ca-certificates" if I interpret https://packages.slackware.com/ correctly. Install that (a _current_ version of it - certificates expire, and sometimes they get untrusted) - 20190826 from slackware-current should be OK, a 2016 version is certainly too, and see if that helps. Some info is also in the README.SSL file that ships with fetchmail, and I see that 6.4.2+ should add a reference to it. "Works for me" on Fedora 30: $ fetchmail --ssl -p pop3 pop.gmail.com -u testuser -v fetchmail: 6.4.1 querying pop.gmail.com (protocol POP3) at Mo 30 Sep 2019 20:49:34 CEST: poll started Trying to connect to 2a00:1450:400c:c00::6c/995...connected. fetchmail: Server certificate: fetchmail: Issuer Organization: Google Trust Services fetchmail: Issuer CommonName: GTS CA 1O1 fetchmail: Subject CommonName: pop.gmail.com fetchmail: Subject Alternative Name: pop.gmail.com fetchmail: pop.gmail.com key fingerprint: 97:15:E2:F8:6F:7E:88:E7:23:93:57:77:36:71:4C:3F fetchmail: SSL/TLS: using protocol TLSv1.3, cipher TLS_AES_256_GCM_SHA384, 256/256 secret/processed bits fetchmail: POP3< +OK Gpop ready for requests from 2003:d0:2719:f100:9d30:e07f:b412:af73 f18mb6117392wmf [...] HTH Matthias |
