New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
OS X - Operating System General OS operation information and support

Fetchmail :: unable to get local issuer certificate


Post Reply New Thread Subscribe

 
Thread Tools
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
FYI: Linux user, setting up on Mac Lion (Darwin Kernel Version
11.2.0). Comfortable with command line, but not a virtuoso, new to
Mac.

When attempting to fetch mail for pop.gmail.com the following error
messages are generated :
Code:
fetchmail: Server certificate verification error: unable to get local issuer
certificate fetchmail: This means that the root signing certificate (issued for
/C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA
certificate locations, or that c_rehash needs to be run on the certificate
directory. For details, please see the documentation of --sslcertpath and
--sslcertfile in the manual page.  fetchmail: Certificate/fingerprint
verification was somehow skipped!  fetchmail: SSL connection failed.
fetchmail: socket error while fetching from tim042849@pop.gmail.com fetchmail:
6.3.18 querying pop.gmail.com (protocol POP3) at Sun, 16 Oct 2011 10:20:39
-0800 (AKDT): poll completed fetchmail: Query status=2 (SOCKET)
cert files are in /Users/tim/.certs
Two files were created from
openssl s_client -connect pop.gmail.com:995 -showcerts
1)gmail.pem = google cert
2)equifax.pem = equifax cert
c_rehash was run after certificates were installed.
permissions :
cert files are 644 tim:staff
cert directory is 755
Polling code in .fetchmailrc is
Code:
poll pop.gmail.com with proto POP3 user '*********' there with
password '******' is 'tim' here mda "/usr/bin/procmail" options ssl
sslcertck sslcertpath /Users/tim/.certs
Entry from fetchmail -V :
Code:
Options for retrieving from *********@pop.gmail.com:
  True name of server is pop.gmail.com.
  Protocol is POP3.
  All available authentication methods will be tried.
  SSL encrypted sessions enabled.
  SSL server certificate checking enabled.
  SSL trusted certificate directory: /Users/tim/.certs
  Server nonresponse timeout is 300 seconds (default).
  Default mailbox selected.
  Only new messages will be retrieved (--all off).
  Fetched messages will not be kept on the server (--keep off).
  Old messages will not be flushed before message retrieval (--flush off).
  Oversized messages will not be flushed before message retrieval (--limitflush off).
  Rewrite of server-local addresses is enabled (--norewrite off).
  Carriage-return stripping is enabled (stripcr on).
  Carriage-return forcing is disabled (forcecr off).
  Interpretation of Content-Transfer-Encoding is enabled (pass8bits off).
  MIME decoding is disabled (mimedecode off).
  Idle after poll is disabled (idle off).
  Nonempty Status lines will be kept (dropstatus off)
  Delivered-To lines will be kept (dropdelivered off)
  Fetch message size limit is 100 (--fetchsizelimit 100).
  Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4).
  Messages will be delivered with "/usr/bin/procmail".
  Single-drop mode: 1 local name recognized.
  No UIDs saved from this host.
I'm not new to fetchmail, but I haven't done any config in years.
Please advise
thanks

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,352
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
First off, make sure you have POP access enabled in GMail. Second, make sure the permissions on the .fetchmailrc file are correct (should be 710). Also ensure that the username includes the "@gmail.com" bit.

How did you execute c_rehash?

Here's an example .fetchmailrc I found online that you may want to try:
Code:
poll pop.gmail.com with proto POP3 and options no dns
user 'GMAIL_USERNAME@gmail.com' there with password 'GMAIL_PASSWORD' is 'LOCAL_USERNAME' here and wants mda "/usr/bin/procmail -d %T"  options ssl keep sslcertck sslcertpath "/Users/tim/.certs"

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
Quote:
Originally Posted by vansmith View Post
First off, make sure you have POP access enabled in GMail.
Sorry. not sure what you mean by the above.
Quote:
Originally Posted by vansmith View Post
Second, make sure the permissions on the .fetchmailrc file are correct (should be 710). Also ensure that the username includes the "@gmail.com" bit.
Did do so..
Quote:
Originally Posted by vansmith View Post
How did you execute c_rehash?
From $HOME :
Code:
c_rehash .certs
By timestamp I could verify that the symlinks were changed.
Quote:
Originally Posted by vansmith View Post
Here's an example .fetchmailrc I found online that you may want to try:
Code:
poll pop.gmail.com with proto POP3 and options no dns
user 'GMAIL_USERNAME@gmail.com' there with password 'GMAIL_PASSWORD' is 'LOCAL_USERNAME' here and wants mda "/usr/bin/procmail -d %T"  options ssl keep sslcertck sslcertpath "/Users/tim/.certs"
I tried the above. Same error messages.
Thank you for the reply.
tim

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,352
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
Quote:
Originally Posted by timinak View Post
Sorry. not sure what you mean by the above.
Log into your GMail account in a browser > gear (top right hand corner) > Mail Settings > Forwarding and POP/IMAP > Enable POP.

Make sure that's set up. The error messages is rather cryptic but it looks like this may be a factor.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
Quote:
Originally Posted by vansmith View Post
Log into your GMail account in a browser > gear (top right hand corner) > Mail Settings > Forwarding and POP/IMAP > Enable POP.

Make sure that's set up. The error messages is rather cryptic but it looks like this may be a factor.
Understood. And done. And still the same messages. BTW: This is working on my
linux box. I believe that fetchmail is compiled with ssl enabled on the mac and is not
on the linux.
Thanks again.
I note that you remain online. I will not. It is late here and I will check back in the morning.

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
I have a solution:
I created a new set of certificates. That was wrong. Apparently I must use the
original issue as was on my current machine. It was as simple as copying the
.certs directory from my 'old' machine to the mac.

Although I am calling this solved, I would be open to documentation on this :
I.E. How to cancel one set of certificates and issue another for the same
mail server.
cheers
tim

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,352
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
Quote:
Originally Posted by timinak View Post
I have a solution:
I created a new set of certificates. That was wrong. Apparently I must use the
original issue as was on my current machine. It was as simple as copying the
.certs directory from my 'old' machine to the mac.
I never would have caught that so well done on finding a solution.

Out of curiosity, if you use openssl to verify the certs, what do you get printed back (see here)?

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
Quote:
Originally Posted by vansmith View Post
I never would have caught that so well done on finding a solution.

Quote:
Originally Posted by vansmith View Post
Out of curiosity, if you use openssl to verify the certs, what do you get printed back (see here)?
I think my syntax is incorrect...
Code:
linus:~ tim$ openssl verify /Users/tim/.certs equifax.pem
unable to load certificate
140735270058428:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
Error opening certificate file equifax.pem
140735270058428:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('equifax.pem','r')
140735270058428:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
linus:~ tim$ openssl verify /Users/tim/.certs 34ceaf75.0
unable to load certificate
140735270058428:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
Error opening certificate file 34ceaf75.0
140735270058428:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('34ceaf75.0','r')
140735270058428:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,352
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
I think you want the following:
Code:
openssl verify -CAfile ~/.certs/equifax.pem

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
Quote:
Originally Posted by vansmith View Post
I think you want the following:
Code:
openssl verify -CAfile ~/.certs/equifax.pem
Sorry. bash just hangs when I invoke that one.
thanks

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks
Dysfunction

 
Dysfunction's Avatar
 
Member Since: Mar 17, 2008
Location: Tucson, AZ
Posts: 6,638
Dysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant futureDysfunction has a brilliant future
Mac Specs: 2008 and 2011 15" mbps, late 11 iMac, iPhone 4s, and too many ipods and other stuff

Dysfunction is offline
I think the correct syntax would be as follows:

openssl verify /path/to/pem

(and I say this because..

mikeMBP:man1 mike$ grep 'CAfile' /usr/share/man/man1/openssl.1ssl
mikeMBP:man1 mike$ echo $?
1
)
so in this case..

openssl verify ~/.certs/equifax.pem

if that's not verifying...

mike
This machine kills fascists
Got # ? phear the command line!
QUOTE Thanks
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
Quote:
Originally Posted by Dysfunction View Post
I think the correct syntax would be as follows:

openssl verify /path/to/pem

(and I say this because..

mikeMBP:man1 mike$ grep 'CAfile' /usr/share/man/man1/openssl.1ssl
mikeMBP:man1 mike$ echo $?
1
)
so in this case..

openssl verify ~/.certs/equifax.pem

if that's not verifying...
Yeah, now I have
Code:
linus:run tim$ openssl verify ~/.certs/equifax.pem
/Users/tim/.certs/equifax.pem: C = US, O = Equifax, OU = Equifax Secure Certificate Authority
error 18 at 0 depth lookup:self signed certificate
OK
I have another related issue, since now that gmail is working. fetchmail is also complaining about my other mail server. I get the following complaint:
Code:
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: This means that the root signing certificate (issued for /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware) is not in the trusted CA certificate locations, o
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
I've tried the following in fetchmailrc
Code:
poll host266.hostmonster.com with proto POP3
       user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl
And still get the complaint above. . But even so, mail for host266.hostmonster.com
is being retrieved, but I would like to get rid of the messages ....
This ssl - enabled fetchmail is a whole new ball game!

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,352
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
Quote:
Originally Posted by Dysfunction View Post
I think the correct syntax would be as follows:

openssl verify /path/to/pem
My bad - shows how much I know of certs.

Quote:
Originally Posted by timinak View Post
poll host266.hostmonster.com with proto POP3
user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl
Try the following:
Code:
poll host266.hostmonster.com with proto POP3
       user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl sslcertck

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
Quote:
Originally Posted by vansmith View Post
My bad - shows how much I know of certs.

Try the following:
Code:
poll host266.hostmonster.com with proto POP3
       user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl sslcertck
Nope. Adding the sslcertck keyword introduced a socket error, preventing
fetching. Ain't this fun? And I know beans about certs!
thanks

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks
timinak

 
Member Since: Sep 12, 2011
Posts: 76
timinak is on a distinguished road

timinak is offline
I opened a trouble ticket with hostmonster. They are looking into this.
I'll report back....

Software developer since 1987, web programmer since
1996. Linux user since 2000. 2011 mac mini, 8 Gb RAM.
QUOTE Thanks

Post Reply New Thread Subscribe


« Mail account show xxxxx@me.com(Offline) can send emails | upgrade OS X 10.5.8 to lion? »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
My certificate imports to wrong category fth1963 OS X - Operating System 6 03-27-2014 11:40 AM
Problems with MySQL scorpionbilli Web Design and Hosting 18 04-29-2008 08:07 PM
Keeping Local mailboxes on an External Drive--Envelope Index Questio mr10012 OS X - Apps and Games 0 04-05-2008 06:58 AM
Unable to Ping Local PCs Techpriest Internet, Networking, and Wireless 3 06-11-2007 10:09 PM
error message during weekly maintenance ajresovsky Schweb's Lounge 0 06-18-2006 06:11 PM

All times are GMT -4. The time now is 01:56 AM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?