Date: Mon, 23 Jul 2012 17:27:04 +0100 From: Anton Shterenlikht <mexas@bristol.ac.uk> To: freebsd-questions@freebsd.org Subject: fetchmail ssl error Message-ID: <20120723162704.GA98615@mech-cluster241.men.bris.ac.uk>
next in thread | raw e-mail | index | archive | help
I probably misunderstand how SSL certificates work. $ cat .fetchmailrc poll staff-imap-srv.bris.ac.uk protocol imap user "mexas" password "xxxxxxx" sslcertck sslcertfile /home/mexas/cert/uob-net-ca.crt fetchall $ $ fetchmail fetchmail: Server certificate verification error: self signed certificate in certificate chain fetchmail: This means that the root signing certificate (issued for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. 98631:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:984: fetchmail: staff-imap-srv.bris.ac.uk: upgrade to TLS failed. fetchmail: Unknown login or authentication error on mexas@epo.bris.ac.uk fetchmail: socket error while fetching from mexas@staff-imap-srv.bris.ac.uk fetchmail: Query status=2 (SOCKET) $ The /home/mexas/cert/uob-net-ca.crt file is supposed to be the univerisity certificate: -----BEGIN CERTIFICATE----- *several lines* -----END CERTIFICATE----- $ openssl verify uob-net-ca.crt uob-net-ca.crt: /O=University of Bristol/OU=IT Services (Networks)/emailAddress=service-desk@bristol.ac.uk/L=Bristol/ST=Avon/C=GB/CN=University of Bristol Net CA error 18 at 0 depth lookup:self signed certificate OK $ I read in the fetchmail manual something about c_rehash script, but I can only find one in /usr/ports/mail/cone/scripts/c_rehash The fetchmail also mentions that: *quote* Additionally, you might need to convert the certificates to different formats (the PEM format is expected and usually is available, DER is another one; you can convert between both using the openssl(1) utility's x509 sub-mode). *end quote* So, I'm not sure if I need to convert my certificate to PEM format or not? Please advise Many thanks -- Anton Shterenlikht Room 2.6, Queen's Building Mech Eng Dept Bristol University University Walk, Bristol BS8 1TR, UK Tel: +44 (0)117 331 5944 Fax: +44 (0)117 929 4423
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120723162704.GA98615>