Date: Tue, 6 Jul 2010 00:37:38 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: Marco Beishuizen <mbeis@xs4all.nl>, freebsd-questions@freebsd.org Subject: Re: fetchmail certificate verification messages Message-ID: <20100706053738.GH50409@dan.emsphone.com> In-Reply-To: <87sk3yv4yq.fsf@kobe.laptop> References: <alpine.BSF.2.00.1007032332560.2877@yokozuna.lan> <87sk3yv4yq.fsf@kobe.laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Jul 05), Giorgos Keramidas said: > On Sat, 3 Jul 2010 23:36:58 +0200 (CEST), Marco Beishuizen <mbeis@xs4all.nl> wrote: > > I'm seeing in my logfiles a lot of messages like these from fetchmail: > > > > Jul 3 22:02:54 yokozuna fetchmail[1437]: Server certificate > > verification error: self signed certificate in certificate chain > > Jul 3 22:02:54 yokozuna fetchmail[1437]: This means that the root > > signing certificate (issued for /C=SE/O=AddTrust AB/OU=AddTrust External > > TTP Network/CN=AddTrust External CA Root) is not in the trusted CA > > certificate locations, or that c_rehash needs to be run on the > > certificate directory. For details, please see the documentation of > > sslcertpath and sslcertfile in the manual page. > > > > Does anyone know what these messages mean and if they are harmless or > > not? > > This means that the certificate of CN="AddTrust External CA Root" is > signed by itself. It's a common thing when the administrator of the > respective SSL-enabled host has not bought a certificate from one of the > global CA authorities, but has signed the certificate with itself to avoid > the costs & process associated with maintaining a "normal" certificate. CA Roots are also self-signed, btw :) Addtrust is a valid CA Root, and is the root for some certificates signed by Network Solutions and Comodo (and probably others). Marco, the fetchmail manpage mentions a --sslcertfile option; try adding "--sslcertfile /etc/ssl/cert.pem" to force fetchmail to use the ca_root_nss file you installed previously. IMHO openssl should automatically consult that file, but apparently it doesn't. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100706053738.GH50409>