Fetchmail :: unable to get local issuer certificate

Joined
Sep 12, 2011
Messages
76
Reaction score
1
Points
8
FYI: Linux user, setting up on Mac Lion (Darwin Kernel Version
11.2.0). Comfortable with command line, but not a virtuoso, new to
Mac.

When attempting to fetch mail for pop.gmail.com the following error
messages are generated :
Code:
fetchmail: Server certificate verification error: unable to get local issuer
certificate fetchmail: This means that the root signing certificate (issued for
/C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA
certificate locations, or that c_rehash needs to be run on the certificate
directory. For details, please see the documentation of --sslcertpath and
--sslcertfile in the manual page.  fetchmail: Certificate/fingerprint
verification was somehow skipped!  fetchmail: SSL connection failed.
fetchmail: socket error while fetching from [email protected] fetchmail:
6.3.18 querying pop.gmail.com (protocol POP3) at Sun, 16 Oct 2011 10:20:39
-0800 (AKDT): poll completed fetchmail: Query status=2 (SOCKET)
cert files are in /Users/tim/.certs
Two files were created from
openssl s_client -connect pop.gmail.com:995 -showcerts
1)gmail.pem = google cert
2)equifax.pem = equifax cert
c_rehash was run after certificates were installed.
permissions :
cert files are 644 tim:staff
cert directory is 755
Polling code in .fetchmailrc is
Code:
poll pop.gmail.com with proto POP3 user '*********' there with
password '******' is 'tim' here mda "/usr/bin/procmail" options ssl
sslcertck sslcertpath /Users/tim/.certs
Entry from fetchmail -V :
Code:
Options for retrieving from *********@pop.gmail.com:
  True name of server is pop.gmail.com.
  Protocol is POP3.
  All available authentication methods will be tried.
  SSL encrypted sessions enabled.
  SSL server certificate checking enabled.
  SSL trusted certificate directory: /Users/tim/.certs
  Server nonresponse timeout is 300 seconds (default).
  Default mailbox selected.
  Only new messages will be retrieved (--all off).
  Fetched messages will not be kept on the server (--keep off).
  Old messages will not be flushed before message retrieval (--flush off).
  Oversized messages will not be flushed before message retrieval (--limitflush off).
  Rewrite of server-local addresses is enabled (--norewrite off).
  Carriage-return stripping is enabled (stripcr on).
  Carriage-return forcing is disabled (forcecr off).
  Interpretation of Content-Transfer-Encoding is enabled (pass8bits off).
  MIME decoding is disabled (mimedecode off).
  Idle after poll is disabled (idle off).
  Nonempty Status lines will be kept (dropstatus off)
  Delivered-To lines will be kept (dropdelivered off)
  Fetch message size limit is 100 (--fetchsizelimit 100).
  Do binary search of UIDs during 3 out of 4 polls (--fastuidl 4).
  Messages will be delivered with "/usr/bin/procmail".
  Single-drop mode: 1 local name recognized.
  No UIDs saved from this host.

I'm not new to fetchmail, but I haven't done any config in years.
Please advise
thanks
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,943
Reaction score
578
Points
113
Location
Queensland
Your Mac's Specs
Too many devices to list
First off, make sure you have POP access enabled in GMail. Second, make sure the permissions on the .fetchmailrc file are correct (should be 710). Also ensure that the username includes the "@gmail.com" bit.

How did you execute c_rehash?

Here's an example .fetchmailrc I found online that you may want to try:
Code:
poll pop.gmail.com with proto POP3 and options no dns
user '[email protected]' there with password 'GMAIL_PASSWORD' is 'LOCAL_USERNAME' here and wants mda "/usr/bin/procmail -d %T"  options ssl keep sslcertck sslcertpath "/Users/tim/.certs"
 
OP
T
Joined
Sep 12, 2011
Messages
76
Reaction score
1
Points
8
First off, make sure you have POP access enabled in GMail.
Sorry.:Confused: not sure what you mean by the above.
Second, make sure the permissions on the .fetchmailrc file are correct (should be 710). Also ensure that the username includes the "@gmail.com" bit.
Did do so..
How did you execute c_rehash?
From $HOME :
Code:
c_rehash .certs
By timestamp I could verify that the symlinks were changed.
Here's an example .fetchmailrc I found online that you may want to try:
Code:
poll pop.gmail.com with proto POP3 and options no dns
user '[email protected]' there with password 'GMAIL_PASSWORD' is 'LOCAL_USERNAME' here and wants mda "/usr/bin/procmail -d %T"  options ssl keep sslcertck sslcertpath "/Users/tim/.certs"
I tried the above. Same error messages.
Thank you for the reply. :Cool:
tim
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,943
Reaction score
578
Points
113
Location
Queensland
Your Mac's Specs
Too many devices to list
Sorry.:Confused: not sure what you mean by the above.
Log into your GMail account in a browser > gear (top right hand corner) > Mail Settings > Forwarding and POP/IMAP > Enable POP.

Make sure that's set up. The error messages is rather cryptic but it looks like this may be a factor.
 
OP
T
Joined
Sep 12, 2011
Messages
76
Reaction score
1
Points
8
Log into your GMail account in a browser > gear (top right hand corner) > Mail Settings > Forwarding and POP/IMAP > Enable POP.

Make sure that's set up. The error messages is rather cryptic but it looks like this may be a factor.
Understood. And done. And still the same messages. BTW: This is working on my
linux box. I believe that fetchmail is compiled with ssl enabled on the mac and is not
on the linux.
Thanks again.
I note that you remain online. I will not. It is late here and I will check back in the morning.
 
OP
T
Joined
Sep 12, 2011
Messages
76
Reaction score
1
Points
8
I have a solution:
I created a new set of certificates. That was wrong. Apparently I must use the
original issue as was on my current machine. It was as simple as copying the
.certs directory from my 'old' machine to the mac.

Although I am calling this solved, I would be open to documentation on this :
I.E. How to cancel one set of certificates and issue another for the same
mail server.
cheers
tim
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,943
Reaction score
578
Points
113
Location
Queensland
Your Mac's Specs
Too many devices to list
I have a solution:
I created a new set of certificates. That was wrong. Apparently I must use the
original issue as was on my current machine. It was as simple as copying the
.certs directory from my 'old' machine to the mac.
I never would have caught that so well done on finding a solution.

Out of curiosity, if you use openssl to verify the certs, what do you get printed back (see here)?
 
OP
T
Joined
Sep 12, 2011
Messages
76
Reaction score
1
Points
8
I never would have caught that so well done on finding a solution.
:Blushing:
Out of curiosity, if you use openssl to verify the certs, what do you get printed back (see here)?
:[I think my syntax is incorrect...
Code:
linus:~ tim$ openssl verify /Users/tim/.certs equifax.pem
unable to load certificate
140735270058428:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
Error opening certificate file equifax.pem
140735270058428:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('equifax.pem','r')
140735270058428:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
linus:~ tim$ openssl verify /Users/tim/.certs 34ceaf75.0
unable to load certificate
140735270058428:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
Error opening certificate file 34ceaf75.0
140735270058428:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('34ceaf75.0','r')
140735270058428:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,943
Reaction score
578
Points
113
Location
Queensland
Your Mac's Specs
Too many devices to list
I think you want the following:
Code:
openssl verify -CAfile ~/.certs/equifax.pem
 
Joined
Mar 17, 2008
Messages
6,879
Reaction score
191
Points
63
Location
Tucson, AZ
Your Mac's Specs
Way... way too many specs to list.
I think the correct syntax would be as follows:

openssl verify /path/to/pem

(and I say this because..

mikeMBP:man1 mike$ grep 'CAfile' /usr/share/man/man1/openssl.1ssl
mikeMBP:man1 mike$ echo $?
1
)
so in this case..

openssl verify ~/.certs/equifax.pem

if that's not verifying...
 
OP
T
Joined
Sep 12, 2011
Messages
76
Reaction score
1
Points
8
I think the correct syntax would be as follows:

openssl verify /path/to/pem

(and I say this because..

mikeMBP:man1 mike$ grep 'CAfile' /usr/share/man/man1/openssl.1ssl
mikeMBP:man1 mike$ echo $?
1
)
so in this case..

openssl verify ~/.certs/equifax.pem

if that's not verifying...
Yeah, now I have
Code:
linus:run tim$ openssl verify ~/.certs/equifax.pem
/Users/tim/.certs/equifax.pem: C = US, O = Equifax, OU = Equifax Secure Certificate Authority
error 18 at 0 depth lookup:self signed certificate
OK
I have another related issue, since now that gmail is working. fetchmail is also complaining about my other mail server. I get the following complaint:
Code:
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: This means that the root signing certificate (issued for /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware) is not in the trusted CA certificate locations, o
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
I've tried the following in fetchmailrc
Code:
poll host266.hostmonster.com with proto POP3
       user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl
And still get the complaint above. :Confused: . But even so, mail for host266.hostmonster.com
is being retrieved, but I would like to get rid of the messages ....
This ssl - enabled fetchmail is a whole new ball game!
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,943
Reaction score
578
Points
113
Location
Queensland
Your Mac's Specs
Too many devices to list
I think the correct syntax would be as follows:

openssl verify /path/to/pem
My bad - shows how much I know of certs.;)

poll host266.hostmonster.com with proto POP3
user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl
Try the following:
Code:
poll host266.hostmonster.com with proto POP3
       user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl sslcertck
 
OP
T
Joined
Sep 12, 2011
Messages
76
Reaction score
1
Points
8
My bad - shows how much I know of certs.;)

Try the following:
Code:
poll host266.hostmonster.com with proto POP3
       user '***@akwebsoft.com' there with password '*******' is 'tim' here mda "/usr/bin/procmail" options ssl sslcertck
Nope. Adding the sslcertck keyword introduced a socket error, preventing
fetching. ;P Ain't this fun? And I know beans about certs!
thanks
 
OP
T
Joined
Sep 12, 2011
Messages
76
Reaction score
1
Points
8
I opened a trouble ticket with hostmonster. They are looking into this.
I'll report back....
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top