Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Jul 2012 17:27:04 +0100
From:      Anton Shterenlikht <mexas@bristol.ac.uk>
To:        freebsd-questions@freebsd.org
Subject:   fetchmail ssl error
Message-ID:  <20120723162704.GA98615@mech-cluster241.men.bris.ac.uk>

Next in thread | Raw E-Mail | Index | Archive | Help
I probably misunderstand how SSL certificates work.

$ cat .fetchmailrc 
poll staff-imap-srv.bris.ac.uk protocol imap user "mexas" password "xxxxxxx" sslcertck sslcertfile /home/mexas/cert/uob-net-ca.crt fetchall
$

$ fetchmail
fetchmail: Server certificate verification error: self signed certificate in certificate chain
fetchmail: This means that the root signing certificate (issued for /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
98631:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:984:
fetchmail: staff-imap-srv.bris.ac.uk: upgrade to TLS failed.
fetchmail: Unknown login or authentication error on mexas@epo.bris.ac.uk
fetchmail: socket error while fetching from mexas@staff-imap-srv.bris.ac.uk
fetchmail: Query status=2 (SOCKET)
$

The /home/mexas/cert/uob-net-ca.crt file is supposed
to be the univerisity certificate:

-----BEGIN CERTIFICATE-----
*several lines*
-----END CERTIFICATE-----

$ openssl verify uob-net-ca.crt 
uob-net-ca.crt: /O=University of Bristol/OU=IT Services (Networks)/emailAddress=service-desk@bristol.ac.uk/L=Bristol/ST=Avon/C=GB/CN=University of Bristol Net CA
error 18 at 0 depth lookup:self signed certificate
OK
$


I read in the fetchmail manual
something about c_rehash script,
but I can only find one in 
/usr/ports/mail/cone/scripts/c_rehash

The fetchmail also mentions that:

*quote*
 Additionally, you might need to convert the
certificates to different formats (the PEM format is expected and usually is
available, DER is another one; you can convert between both using the
openssl(1) utility's x509 sub-mode).
*end quote*

So, I'm not sure if I need to convert my
certificate to PEM format or not?

Please advise

Many thanks


-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20120723162704.GA98615>