Date: Mon, 10 Nov 2008 22:52:41 -0800 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Polytropon <freebsd@edvax.de> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Strange messages by fetchmail: Server certificate verification error Message-ID: <20081111065241.GA90011@icarus.home.lan> In-Reply-To: <20081111071831.9c9d56f2.freebsd@edvax.de> References: <20081111071831.9c9d56f2.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 11, 2008 at 07:18:31AM +0100, Polytropon wrote: > when I installed my new FreeBSD 7 system along with fetchmail-6.3.8_4, > no matter what I do I get these messages: > > fetchmail: Server certificate verification error: unable to get local issuer certificate > fetchmail: Server certificate verification error: certificate not trusted > fetchmail: Server certificate verification error: unable to verify the first certificate > fetchmail: No mail for foo at pop.bar.com > fetchmail: Server certificate verification error: unable to get local issuer certificate > fetchmail: Server certificate verification error: certificate not trusted > fetchmail: Server certificate verification error: unable to verify the first certificate > fetchmail: No mail for pups at pop.furz.com > > But message retrieval works fine. I do get them from every POP3 server > I have in the list. > > On my older FreeBSD 5 system with fetchmai-6.2.5_2, I don't get these > messages, but message retrieval works there as well - with the same > configuration files (~/.fetchmailrc). > > How can I get rid of these messages? Is it possible *not* to use any > certification, just the way the older fetchmail version seemed it to > do? First and foremost: this should have gone to freebsd-ports, because you're indirectly complaining about ports. :-) I've changed the mailing list. Secondly, this is a very, very common question on the fetchmail-users public mailing list (not at freebsd.org). Google returns hundreds of results for "unable to get local issuer" fetchmail. This web page may be of help: http://bronski.net/data/fetchmail-eng.php These messages mean that the POP3+SSL or IMAP+SSL server's SSL certs cannot be verified by fetchmail. What you see are warnings, not errors, which is why fetching mail works regardless. It's recommended you fix the warnings. fetchmail-6.3.8_7, and a couple earlier versions (I would have to check to see when it was added), include security/ca_root_nss as a dependency. That port includes a list of common public CAs which certificates (on the server) can be verified against. Public CA verification costs money and ultimately amounts to jack squat (they give you no added form of security) -- however, public CAs are recommended for public-facing SSL-based things (HTTPS, POP3S/IMAPS, etc.). I cannot imagine telling any of my users "Oh yeah, you gotta download our self-signed cert before it'll work". The response will be "What is a certificate?" or "Um, I have no idea what any of that means or how to do it". That said: there's a good chance the servers you're fetching mail from do not have their certificates signed by a public CA; possibly they're self-signed (by their own CA), in which case you need to download a copy of the CA and tell fetchmail about it. The server administrator should be able to discuss this with you -- talk to them. fetchmail changes severely between minor versions, which is probably why your other box running an older fetchmail does not induce this error. I'm willing to bet SSL certification verification was enabled between the two versions. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081111065241.GA90011>