Menu
▾
▴
Re: [Fetchmail-users] cert probelm
|
From: Matthias A. <mat...@gm...> - 2021-01-29 18:43:39
|
Am 29.01.21 um 13:48 schrieb Gene Heskett: > Greetings all; > > locally built 6.4.14 client here on debian stretch. > > Been running fine for months. > > last night around 22:00 local mail stopped. > > openssl-1.1.1l is now installed locally built, installed once with --prefix=/usr, and once as the default /usr/local. > > ~/.fetchmailrc active section: > poll imap.shentel.net with proto imap > user $USR with password $PW is gene > fetchall > ssl > pass8bits > nokeep > > Restarting fetchmail gets: > > fetchmail: Server certificate verification error: self signed certificate in certificate chain > fetchmail: Missing trust anchor certificate: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA > fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that > c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath > and --sslcertfile in the manual page. See README.SSL for details. > fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed > fetchmail: imap.shentel.net: SSL connection failed. > fetchmail: socket error while fetching from $US...@im... > > I can go in with a browser using that same $USR and $PW and see it there ok > Please define the certificate directory. I do have that cert if the > spaces are replaced by underscores. And c_rehash has been run, several > times with the -v option, looks legit but me not an expert. c_rehash has worked if you have lots of 12345678.0 symlinks pointing to the MyFineRootCA.pem and AnotherRootCA.pem files in that directory. So either you can point fetchmail to the directory you have hashed, with the "sslcertpath /path/to/my/certs" option (you'd give it the directory 1. that contains the root certificates and 2. that you should have run c_rehash on. This should be the same ;-)), or globally, make sure that your OpenSSL configuration points to the right directory. I'm not sure if I would feel comfortable with OpenSSL installed in two places, that's two places to maintain. > Where is the bad or missing cert, here, or at my ISP's dovecot server? On your end, the default OpenSSL library that fetchmail links to at run-time cannot find the root certificate (digicert) of the chain presented by the server. Gene, any proposals on where I should update README.SSL, or how could I reword the error message you quoted above? Hope that helps. Regards, Matthias |
