Mr486 |
08-12-2018 07:15 AM |
Fetchmail and Server certificate verification error: unable to get local issuer certificate
ok, this familiar question, not sure what I am missing to still get the local issuer certificate as when I ran the check with openssl I got success. I was under the impression all I needed was the Global CA certificate (the openssl shows that it is all valid and acceptable)
Thanks!
running fetchmail with:
Code:
fetchmail -v -v -d 473 --syslog --nobounce --sslcertpath /home/bloggs/certs -f /home/bloggs/fetchmailrc
/home/bloggs/fetchmailrc contains
Code:
poll outlook.office365.com localdomains ######## protocol pop3 port 995: envelope X-Envelope-To
user #####@######## password ####### to * fetchall options ssl
/home/bloggs/certs contains
Code:
lrwxrwxrwx 1 10 Aug 8 12:57 3513523f.0 -> CAROOT.pem
-rw------- 1 1338 Aug 8 08:51 CAROOT.pem
With openssl:
Code:
/usr/local/ssl/bin/openssl s_client -CApath /home/bloggs/certs -connect outlook.office365.com:995
outputs this:
Code:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...snip...
etc, etc, etc
...snip...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1533743966
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
However, Fetchmail writes this to the mail log
Code:
starting fetchmail 6.3.26 daemon
Server certificate verification error: self signed certificate in certificate chain
Missing trust anchor certificate: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
Server certificate verification error: self signed certificate in certificate chain
Missing trust anchor certificate: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
|