Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 May 2015 16:46:50 -0400
From:      Ernie Luzar <luzar722@gmail.com>
To:        Jon Radel <jon@radel.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Certificate error
Message-ID:  <5551153A.4000800@gmail.com>
In-Reply-To: <555105BA.4010702@radel.com>
References:  <554FC878.7070401@gmail.com> <55501D92.2020102@radel.com> <5550C454.60202@gmail.com> <555105BA.4010702@radel.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Jon Radel wrote:
> On 5/11/15 11:01 AM, Ernie Luzar wrote:
>>
>>>>
>>>>
>>>> fetchmail: Server certificate verification error: self signed 
>>>> certificate
>>>> fetchmail: Missing trust anchor certificate:
>>>>
>>>>
>>> As a result, I'm kind of confused as to why fetchmail is complaining 
>>> about a missing trust anchor for a self-signed certificate.  But 
>>> that does lead to the question:  Did you install the CA certificate, 
>>> CA.cert, where fetchmail will use it for verifying certificates? You 
>>> should also realize that if you want to use your own CA, you're much 
>>> better off not creating a new one willy-nilly, as you need to 
>>> install the CA cert for every client which you want to actually 
>>> verify the certificates signed by that CA.  See 
>>> http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.html 
>>> for more.
>> Fetchmail is being used as a diagnostic tool. Fetchmail will follow 
>> how a pop3 server is configured and in my case I am trying to test my 
>> pop3 qpopper server for TLS. From the original post posted fetchmail 
>> log you see that the pop3 server is offering STLS. This is what I am 
>> expecting. Then the log shows the certs are missing a anchor point. 
> Hence my question as to whether you installed the CA.cert for 
> fetchmail.  Which you appear to have not answered.  Nor do you seem to 
> have read the reference on the fetchmail mailing list that addresses 
> how to either make fetchmail less picky about certificates or install 
> the CA root certificate.
>> The posted cert build script is not some thing I pulled out of the 
>> air or something I make up as a guess. 
> Never said you were.  I did point out that you were showing commands 
> to sign a certificate with your own CA in an e-mail where you were 
> complaining about being unable to get a self-signed certificate to 
> work.  If you're mixing and matching bits and pieces of different 
> experiments in the same question, this rapidly becomes even more of a 
> futile exercise than it already is.
>> I have a few different  combinations of openssl command sequences 
>> form different articles I read on the internet and all of them get 
>> the same error. I just point qpopper to use the key & cert files made 
>> separately by openssl commands. 
> Yeah, but the last little bit of logging doesn't have qpopper the 
> least bit upset so far as I can tell; it's got fetchmail upset. What 
> does fetchmail have installed?
>> What sequence of openssl commands do you suggest I use?
>>
> Alas, alack, I find it hard to care; either type of certificate can be 
> made to work with differing tradeoffs. Personally I simply use 
> https://www.cacert.org when I need a free certificate in a place where 
> I control the clients.  But if you go that route, YOU STILL NEED TO 
> INSTALL THE CA'S ROOT CERTIFICATES FOR FETCHMAIL!  I would suggest you 
> search for a tutorial on how TLS works that you're comfortable with 
> and study it with care.
>
> In any case, this:
>
>> fetchmail: POP3< STLS
>> fetchmail: POP3< .
>> fetchmail: POP3> STLS
>> fetchmail: POP3< +OK STLS
>> fetchmail: Server certificate:
>> fetchmail: Issuer Organization: Powerman
>> fetchmail: Issuer CommonName: pop.powerman.com
>> fetchmail: Subject CommonName: pop.powerman.com
>> fetchmail: pop.a1poweruser.com key fingerprint: 
>> 51:EC:3E:14:EA:E0:A9:97:1F:9F:D9:30:35:72:44:EA
>>
>> fetchmail: Server certificate verification error: self signed 
>> certificate
>> fetchmail: Missing trust anchor certificate:
>
> makes me think you may have a certificate installed just fine on 
> qpopper and are simply ignoring that the default behavior of fetchmail 
> is to be very picky about certificates.  In other words, you may be 
> abusing your diagnostic tool something terrible, and results with your 
> actual client(s) may be completely different, depending on how they 
> feel about using TLS for verification as opposed to for *only* 
> encryption.
>
> Read http://www.fetchmail.info/fetchmail-FAQ.html#K5 for more.
>
> --Jon Radel
> jon@radel.com
>
>
When I run fetchmail againest my ISP mail pop server it runs fine and 
populates my postfix server and shows basically the same log sequence. I 
just change the poll  and user statements in .fetchmailrc. Fetchmail 
will follow what ever the pop server it's connecting to tells it to do 
which is TLS. Fetchmail is not the problem here. Many of the how-to on 
the internet recommend using fetchmail in this manner to diagnose  pop 
servers connection problems.  Lets move on to certification problem.

Is there some openssl commands that can be used to verify the key/cert 
file combination is correct and workable?

I continued to look for a better method of creating certs. Today I found 
this one and have given it a try
.     
http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php 

followed by the first 2 openssl commands on this page
      
http://www.freebsdmadeeasy.com/tutorials/web-server/apache-ssl-certs.php

I now get different results

Script started on Mon May 11 16:14:20 2015
/root >fetchmail -vv -c
fetchmail: --check mode enabled, not fetching mail
fetchmail: 6.3.26 querying pop.powerman.com (protocol POP3) at Mon May 
11 16:14:34 2015: poll started
Trying to connect to 10.0.10.2/110...connected.
fetchmail: POP3< +OK ready  <5281.1431375274@localhost>
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< TOP
fetchmail: POP3< USER
fetchmail: POP3< LOGIN-DELAY 0
fetchmail: POP3< EXPIRE NEVER
fetchmail: POP3< UIDL
fetchmail: POP3< RESP-CODES
fetchmail: POP3< AUTH-RESP-CODE
fetchmail: POP3< X-MANGLE
fetchmail: POP3< X-MACRO
fetchmail: POP3< X-LOCALTIME Mon, 11 May 2015 16:14:34 -0400
fetchmail: POP3< STLS
fetchmail: POP3< .
fetchmail: POP3> STLS
fetchmail: POP3< +OK STLS
fetchmail: Server certificate:
fetchmail: Issuer Organization: powerman
fetchmail: Issuer CommonName: pop.powerman.com
fetchmail: Subject CommonName: pop.powerman.com
fetchmail: pop.powerman.com key fingerprint: 
F8:FF:A3:6F:7B:BA:F0:CB:2D:B0:6A:04:59:30:77:85
fetchmail: Server certificate verification error: unable to get local 
issuer certificate
fetchmail: Broken certification chain at: 
/C=US/ST=PA/L=Chester/O=Powerman/CN=pop.powerman.com
fetchmail: This could mean that the server did not provide the 
intermediate CA's certificate(s),
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the 
first certificate


.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5551153A.4000800>