Results 1 to 15 of 15
  1. #1


    Member Since
    Sep 12, 2011
    Posts
    76
    Fetchmail :: unable to get local issuer certificate
    FYI: Linux user, setting up on Mac Lion (Darwin Kernel Version
    11.2.0). Comfortable with command line, but not a virtuoso, new to
    Mac.

    When attempting to fetch mail for pop.gmail.com the following error
    messages are generated :
    Code:
    fetchmail: Server certificate verification error: unable to get local issuer
    certificate fetchmail: This means that the root signing certificate (issued for
    /C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA
    certificate locations, or that c_rehash needs to be run on the certificate
    directory. For details, please see the documentation of --sslcertpath and
    --sslcertfile in the manual page.  fetchmail: Certificate/fingerprint
    verification was somehow skipped!  fetchmail: SSL connection failed.
    fetchmail: socket error while fetching from tim042849@pop.gmail.com fetchmail:
    6.3.18 querying pop.gmail.com (protocol POP3) at Sun, 16 Oct 2011 10:20:39
    -0800 (AKDT): poll completed fetchmail: Query status=2 (SOCKET)
    cert files are in /Users/tim/.certs
    Two files were created from
    openssl s_client -connect pop.gmail.com:995 -showcerts
    1)gmail.pem = google cert
    2)equifax.pem = equifax cert
    c_rehash was run after certificates were installed.
    permissions :
    cert files are 644 tim:staff
    cert directory is 755
    Polling code in .fetchmailrc is
    Code:
    poll pop.gmail.com with proto POP3 user '*********' there with
    password '******' is 'tim' here mda "/usr/bin/procmail" options ssl
    sslcertck sslcertpath /Users/tim/.certs
    Entry from fetchmail -V :
    Code:
    Options for retrieving from *********@pop.gmail.com:
      True name of server is pop.gmail.com.
      Protocol is POP3.
      All available authentication methods will be tried.
      SSL encrypted sessions enabled.
      SSL server certificate checking enabled.
      SSL trusted certificate directory: /Users/tim/.certs
      Server nonresponse timeout is 300 seconds (default).
      Default mailbox selected.
      Only new messages will be retrieved (--all off).
      Fetched messages will not be kept on the server (--keep off).
      Old messages will not be flushed before message retrieval (--flush off).
      Oversized messages will not be flushed before message retrieval (--limitflush off).
      Rewrite of server-local addresses is enabled (--norewrite off).
      Carriage-return stripping is enabled (stripcr on).
      Carriage-return forcing is disabled (forcecr off).
      Interpretation of Content-Transfer-Encoding is enabled (pass8bits off).
      MIME decoding is disabled (mimedecode off).
      Idle after poll is disabled (idle off).
      Nonempty Status lines will be kept (dropstatus off)
      Delivered-To lines will be kept (dropdelivered off)
      Fetch message size limit is 100 (--fetchsizelimit 100).
      Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4).
      Messages will be delivered with "/usr/bin/procmail".
      Single-drop mode: 1 local name recognized.
      No UIDs saved from this host.
    I'm not new to fetchmail, but I haven't done any config in years.
    Please advise
    thanks
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

  2. #2

    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,782
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    First off, make sure you have POP access enabled in GMail. Second, make sure the permissions on the .fetchmailrc file are correct (should be 710). Also ensure that the username includes the "@gmail.com" bit.

    How did you execute c_rehash?

    Here's an example .fetchmailrc I found online that you may want to try:
    Code:
    poll pop.gmail.com with proto POP3 and options no dns
    user 'GMAIL_USERNAME@gmail.com' there with password 'GMAIL_PASSWORD' is 'LOCAL_USERNAME' here and wants mda "/usr/bin/procmail -d %T"  options ssl keep sslcertck sslcertpath "/Users/tim/.certs"
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  3. #3


    Member Since
    Sep 12, 2011
    Posts
    76
    Quote Originally Posted by vansmith View Post
    First off, make sure you have POP access enabled in GMail.
    Sorry. not sure what you mean by the above.
    Quote Originally Posted by vansmith View Post
    Second, make sure the permissions on the .fetchmailrc file are correct (should be 710). Also ensure that the username includes the "@gmail.com" bit.
    Did do so..
    Quote Originally Posted by vansmith View Post
    How did you execute c_rehash?
    From $HOME :
    Code:
    c_rehash .certs
    By timestamp I could verify that the symlinks were changed.
    Quote Originally Posted by vansmith View Post
    Here's an example .fetchmailrc I found online that you may want to try:
    Code:
    poll pop.gmail.com with proto POP3 and options no dns
    user 'GMAIL_USERNAME@gmail.com' there with password 'GMAIL_PASSWORD' is 'LOCAL_USERNAME' here and wants mda "/usr/bin/procmail -d %T"  options ssl keep sslcertck sslcertpath "/Users/tim/.certs"
    I tried the above. Same error messages.
    Thank you for the reply.
    tim
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

  4. #4

    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,782
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Quote Originally Posted by timinak View Post
    Sorry. not sure what you mean by the above.
    Log into your GMail account in a browser > gear (top right hand corner) > Mail Settings > Forwarding and POP/IMAP > Enable POP.

    Make sure that's set up. The error messages is rather cryptic but it looks like this may be a factor.
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  5. #5


    Member Since
    Sep 12, 2011
    Posts
    76
    Quote Originally Posted by vansmith View Post
    Log into your GMail account in a browser > gear (top right hand corner) > Mail Settings > Forwarding and POP/IMAP > Enable POP.

    Make sure that's set up. The error messages is rather cryptic but it looks like this may be a factor.
    Understood. And done. And still the same messages. BTW: This is working on my
    linux box. I believe that fetchmail is compiled with ssl enabled on the mac and is not
    on the linux.
    Thanks again.
    I note that you remain online. I will not. It is late here and I will check back in the morning.
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

  6. #6


    Member Since
    Sep 12, 2011
    Posts
    76
    I have a solution:
    I created a new set of certificates. That was wrong. Apparently I must use the
    original issue as was on my current machine. It was as simple as copying the
    .certs directory from my 'old' machine to the mac.

    Although I am calling this solved, I would be open to documentation on this :
    I.E. How to cancel one set of certificates and issue another for the same
    mail server.
    cheers
    tim
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

  7. #7

    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,782
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Quote Originally Posted by timinak View Post
    I have a solution:
    I created a new set of certificates. That was wrong. Apparently I must use the
    original issue as was on my current machine. It was as simple as copying the
    .certs directory from my 'old' machine to the mac.
    I never would have caught that so well done on finding a solution.

    Out of curiosity, if you use openssl to verify the certs, what do you get printed back (see here)?
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  8. #8


    Member Since
    Sep 12, 2011
    Posts
    76
    Quote Originally Posted by vansmith View Post
    I never would have caught that so well done on finding a solution.

    Quote Originally Posted by vansmith View Post
    Out of curiosity, if you use openssl to verify the certs, what do you get printed back (see here)?
    I think my syntax is incorrect...
    Code:
    linus:~ tim$ openssl verify /Users/tim/.certs equifax.pem
    unable to load certificate
    140735270058428:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
    Error opening certificate file equifax.pem
    140735270058428:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('equifax.pem','r')
    140735270058428:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
    unable to load certificate
    linus:~ tim$ openssl verify /Users/tim/.certs 34ceaf75.0
    unable to load certificate
    140735270058428:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
    Error opening certificate file 34ceaf75.0
    140735270058428:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('34ceaf75.0','r')
    140735270058428:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
    unable to load certificate
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

  9. #9

    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,782
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    I think you want the following:
    Code:
    openssl verify -CAfile ~/.certs/equifax.pem
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  10. #10


    Member Since
    Sep 12, 2011
    Posts
    76
    Quote Originally Posted by vansmith View Post
    I think you want the following:
    Code:
    openssl verify -CAfile ~/.certs/equifax.pem
    Sorry. bash just hangs when I invoke that one.
    thanks
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

  11. #11

    Dysfunction's Avatar
    Member Since
    Mar 17, 2008
    Location
    Tucson, AZ
    Posts
    6,881
    Specs:
    Way... way too many specs to list.
    I think the correct syntax would be as follows:

    openssl verify /path/to/pem

    (and I say this because..

    mikeMBP:man1 mike$ grep 'CAfile' /usr/share/man/man1/openssl.1ssl
    mikeMBP:man1 mike$ echo $?
    1
    )
    so in this case..

    openssl verify ~/.certs/equifax.pem

    if that's not verifying...
    mike
    This machine kills fascists
    Got # ? phear the command line!

  12. #12


    Member Since
    Sep 12, 2011
    Posts
    76
    Quote Originally Posted by Dysfunction View Post
    I think the correct syntax would be as follows:

    openssl verify /path/to/pem

    (and I say this because..

    mikeMBP:man1 mike$ grep 'CAfile' /usr/share/man/man1/openssl.1ssl
    mikeMBP:man1 mike$ echo $?
    1
    )
    so in this case..

    openssl verify ~/.certs/equifax.pem

    if that's not verifying...
    Yeah, now I have
    Code:
    linus:run tim$ openssl verify ~/.certs/equifax.pem
    /Users/tim/.certs/equifax.pem: C = US, O = Equifax, OU = Equifax Secure Certificate Authority
    error 18 at 0 depth lookup:self signed certificate
    OK
    I have another related issue, since now that gmail is working. fetchmail is also complaining about my other mail server. I get the following complaint:
    Code:
    fetchmail: Server certificate verification error: unable to get local issuer certificate
    fetchmail: This means that the root signing certificate (issued for /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware) is not in the trusted CA certificate locations, o
    fetchmail: Server certificate verification error: certificate not trusted
    fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
    I've tried the following in fetchmailrc
    Code:
    poll host266.hostmonster.com with proto POP3
           user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl
    And still get the complaint above. . But even so, mail for host266.hostmonster.com
    is being retrieved, but I would like to get rid of the messages ....
    This ssl - enabled fetchmail is a whole new ball game!
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

  13. #13

    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,782
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Quote Originally Posted by Dysfunction View Post
    I think the correct syntax would be as follows:

    openssl verify /path/to/pem
    My bad - shows how much I know of certs.

    Quote Originally Posted by timinak View Post
    poll host266.hostmonster.com with proto POP3
    user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl
    Try the following:
    Code:
    poll host266.hostmonster.com with proto POP3
           user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl sslcertck
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  14. #14


    Member Since
    Sep 12, 2011
    Posts
    76
    Quote Originally Posted by vansmith View Post
    My bad - shows how much I know of certs.

    Try the following:
    Code:
    poll host266.hostmonster.com with proto POP3
           user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl sslcertck
    Nope. Adding the sslcertck keyword introduced a socket error, preventing
    fetching. Ain't this fun? And I know beans about certs!
    thanks
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

  15. #15


    Member Since
    Sep 12, 2011
    Posts
    76
    I opened a trouble ticket with hostmonster. They are looking into this.
    I'll report back....
    Software developer since 1987, web programmer since
    1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Local Hostname.local
    By Jeff111 in forum OS X - Operating System
    Replies: 4
    Last Post: 12-06-2011, 08:18 AM
  2. Moving /usr/local to ~/local
    By blueskai in forum OS X - Operating System
    Replies: 4
    Last Post: 06-28-2011, 01:05 PM
  3. EAP-TLS - "This certificate has an invalid issuer."
    By upenox in forum OS X - Operating System
    Replies: 1
    Last Post: 08-11-2007, 12:43 PM
  4. Unable to Ping Local PCs
    By Techpriest in forum Internet, Networking, and Wireless
    Replies: 3
    Last Post: 06-11-2007, 09:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •