From owner-freebsd-questions@FreeBSD.ORG Tue Jul 6 05:37:41 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FB4B1065673 for ; Tue, 6 Jul 2010 05:37:41 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email1.allantgroup.com (email1.emsphone.com [199.67.51.115]) by mx1.freebsd.org (Postfix) with ESMTP id BD3318FC0A for ; Tue, 6 Jul 2010 05:37:40 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email1.allantgroup.com (8.14.0/8.14.0) with ESMTP id o665bdlT075569 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 6 Jul 2010 00:37:39 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.4/8.14.4) with ESMTP id o665bdQt052637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 6 Jul 2010 00:37:39 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.4/8.14.3/Submit) id o665bckB052633; Tue, 6 Jul 2010 00:37:38 -0500 (CDT) (envelope-from dan) Date: Tue, 6 Jul 2010 00:37:38 -0500 From: Dan Nelson To: Giorgos Keramidas Message-ID: <20100706053738.GH50409@dan.emsphone.com> References: <87sk3yv4yq.fsf@kobe.laptop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87sk3yv4yq.fsf@kobe.laptop> X-OS: FreeBSD 8.1-PRERELEASE User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: clamav-milter 0.96 at email1.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (email1.allantgroup.com [199.67.51.78]); Tue, 06 Jul 2010 00:37:39 -0500 (CDT) X-Scanned-By: MIMEDefang 2.45 Cc: Marco Beishuizen , freebsd-questions@freebsd.org Subject: Re: fetchmail certificate verification messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jul 2010 05:37:41 -0000 In the last episode (Jul 05), Giorgos Keramidas said: > On Sat, 3 Jul 2010 23:36:58 +0200 (CEST), Marco Beishuizen wrote: > > I'm seeing in my logfiles a lot of messages like these from fetchmail: > > > > Jul 3 22:02:54 yokozuna fetchmail[1437]: Server certificate > > verification error: self signed certificate in certificate chain > > Jul 3 22:02:54 yokozuna fetchmail[1437]: This means that the root > > signing certificate (issued for /C=SE/O=AddTrust AB/OU=AddTrust External > > TTP Network/CN=AddTrust External CA Root) is not in the trusted CA > > certificate locations, or that c_rehash needs to be run on the > > certificate directory. For details, please see the documentation of > > sslcertpath and sslcertfile in the manual page. > > > > Does anyone know what these messages mean and if they are harmless or > > not? > > This means that the certificate of CN="AddTrust External CA Root" is > signed by itself. It's a common thing when the administrator of the > respective SSL-enabled host has not bought a certificate from one of the > global CA authorities, but has signed the certificate with itself to avoid > the costs & process associated with maintaining a "normal" certificate. CA Roots are also self-signed, btw :) Addtrust is a valid CA Root, and is the root for some certificates signed by Network Solutions and Comodo (and probably others). Marco, the fetchmail manpage mentions a --sslcertfile option; try adding "--sslcertfile /etc/ssl/cert.pem" to force fetchmail to use the ca_root_nss file you installed previously. IMHO openssl should automatically consult that file, but apparently it doesn't. -- Dan Nelson dnelson@allantgroup.com