Re: Fetchmail certificate problem
Johann Spies <jspies@sun.ac.za> wrote:
> I get this error message:
> fetchmail: Server certificate verification error: self signed certificate
> fetchmail: This means that the root signing certificate (issued for /C=US/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost/emailAddress=webaster@localhost) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
> fetchmail: Warning: the connection is insecure, continuing
> anyways. (Better use --sslcertck!)
> But I get my email.
It looks like your Internet Mail Provider (IMP) is offering TLS with a
self-signed certificate. So fetchmail is correctly warning you that the
certificate provides no confirmation of identity and little assurance
of security.
> Changing it to uncomment
> sslcertck and
> sslcertpath /etc/ssl/certs
> In this case fetching the email fails.
This is correct. Have you read the fetchmail documentation for the
sslcertck option?
> The service provider sent me a certificiate which I did put in the path
> referred to in the configuration but it did not solve the problem.
> How can I solve this problem?
What's the problem you're documenting?
- your IMP hasn't got a trusted certificate?
(IMO there's really little excuse for this.)
- your IMP doesn't know what it's doing?
(Is C=US/ST=Someprovince/L=Sometown/... really what's in the
certificate? If so, I'd look elsewhere. Seriously.)
- you don't understand why fetchmail's complaining at you?
(See above.)
- you've put some certificate somewhere and it doesn't work?
(If you accept your IMP's root certificate then you are trusting them
for everything. If it's just the braindead self-signed certificate
then you have a chance of keeping your security intact. But you do
need to do more than just put the certificate in the /etc/ssl/certs
directory - read fetchmail's sslcertpath documentation.)
Chris
Reply to: