Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Aug 2010 12:38:07 -0700 (PDT)
From:      Dan Strick <mla_strick@att.net>
To:        freebsd-questions@freebsd.org
Cc:        mla@mist.nodomain
Subject:   fetchmail ssl certificate verification problem in FreeBSD 8.1
Message-ID:  <201008151938.o7FJc7vD001866@mist.nodomain>

next in thread | raw e-mail | index | archive | help
I just installed FreeBSD release 8.1 and rebuilt the fetchmail port.
Now I get messages like these when I run fetchmail:

    fetchmail: Warning: the connection is insecure, continuing anyways.
               (Better use --sslcertck!)
    fetchmail: No mail for whoever@att.net at att
    fetchmail: Server certificate verification error: unable to get local
               issuer certificate
    fetchmail: This means that the root signing certificate (issued for
               /C=US/ST=California/L=Santa Clara/O=Yahoo! Inc./OU=Yahoo
               /CN=pop.att.yahoo.com) is not in the trusted CA certificate
               locations, or that c_rehash needs to be run on the certificate
               directory. For details, please see the documentation of
               --sslcertpath and --sslcertfile in the manual page.
    fetchmail: Server certificate verification error: certificate not trusted
    fetchmail: Server certificate verification error: unable to verify the
               first certificate

I just rebooted my old FreeBSD 8.0 system and verified that the old
fetchmail does not complain about this.  My .fetchmailrc file has not
changed.  It looks something like this:

    poll att via pop.att.yahoo.com proto pop3
         user "whoever@att.net" pass "whatever" is "mla" ssl

I can get rid of the message by removing the ssl option from the user
line but then fetchmail would not even try to use ssl.  Why would the
old fetchmail be better able to verify the server's ssl certificate?
Has openssl changed?  Where is the openssl certificate directory and why
should the information needed to verify the server's certificate be
found on my machine?  Doesn't the openssl library contain something
like a hardwired list of well known certificate authority systems?

Thanks for any information you can provide.

Dan Strick
mla_strick at att.net



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201008151938.o7FJc7vD001866>