LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-12-2018, 07:15 AM   #1
Mr486
Member
 
Registered: Nov 2013
Posts: 41

Rep: Reputation: 0
Fetchmail and Server certificate verification error: unable to get local issuer certificate


ok, this familiar question, not sure what I am missing to still get the local issuer certificate as when I ran the check with openssl I got success. I was under the impression all I needed was the Global CA certificate (the openssl shows that it is all valid and acceptable)

Thanks!

running fetchmail with:

Code:
    fetchmail -v -v -d 473 --syslog --nobounce --sslcertpath /home/bloggs/certs -f /home/bloggs/fetchmailrc
/home/bloggs/fetchmailrc contains

Code:
poll outlook.office365.com localdomains ######## protocol pop3 port 995: envelope X-Envelope-To 
user #####@######## password ####### to * fetchall options ssl
/home/bloggs/certs contains

Code:
    lrwxrwxrwx   1           10 Aug  8 12:57 3513523f.0 -> CAROOT.pem
    -rw-------   1          1338 Aug  8 08:51 CAROOT.pem
With openssl:

Code:
    /usr/local/ssl/bin/openssl s_client -CApath /home/bloggs/certs -connect outlook.office365.com:995
outputs this:

Code:
    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
    verify return:1
    depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
       i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
     1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ...snip...
    etc, etc, etc
    ...snip...  
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1533743966
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
    ---
However, Fetchmail writes this to the mail log
Code:
starting fetchmail 6.3.26 daemon
Server certificate verification error: self signed certificate in certificate chain
Missing trust anchor certificate: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
Server certificate verification error: self signed certificate in certificate chain
Missing trust anchor certificate: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.

Last edited by Mr486; 08-12-2018 at 07:21 AM.
 
Old 08-12-2018, 07:18 AM   #2
Mr486
Member
 
Registered: Nov 2013
Posts: 41

Original Poster
Rep: Reputation: 0
Empty post

Last edited by Mr486; 08-12-2018 at 07:19 AM.
 
Old 08-12-2018, 08:20 AM   #3
Mr486
Member
 
Registered: Nov 2013
Posts: 41

Original Poster
Rep: Reputation: 0
SOLVED

I believe the problem was that fetchmail had been built against a differnt set of SSL library to the one I ran the openssl test with. I have rebuilt fetchmail against that same library 1.0.2n and everything works as expected:

Code:
Old UID list from outlook.office365.com: <empty>
Scratch list of UIDs: <empty>
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:56 2018: poll started
Trying to connect to 36.165.28.8/995...connected.
Certificate chain, from root to peer, starting at depth 2:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Global Root CA
Certificate at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Cloud Services CA-1
Subject CommonName: outlook.com
Subject Alternative Name: *.clo.footprintdns.com
Subject Alternative Name: *.nrb.footprintdns.com
Subject Alternative Name: *.hotmail.com
Subject Alternative Name: *.internal.outlook.com
Subject Alternative Name: *.live.com
Subject Alternative Name: *.office.com
Subject Alternative Name: *.office365.com
Subject Alternative Name: *.outlook.com
Subject Alternative Name: *.outlook.office365.com
Subject Alternative Name: attachment.outlook.live.net
Subject Alternative Name: attachment.outlook.office.net
Subject Alternative Name: attachment.outlook.officeppe.net
Subject Alternative Name: ccs.login.microsoftonline.com
Subject Alternative Name: ccs-sdf.login.microsoftonline.com
Subject Alternative Name: hotmail.com
Subject Alternative Name: mail.services.live.com
Subject Alternative Name: office365.com
Subject Alternative Name: outlook.com
Subject Alternative Name: outlook.office.com
Subject Alternative Name: substrate.office.com
Subject Alternative Name: substrate-sdf.office.com
outlook.office365.com key fingerprint: ###################################################
POP3< +OK The Microsoft Exchange POP3 service is ready. [###########################################################]
POP3> CAPA
POP3< +OK
POP3< TOP
POP3< UIDL
POP3< SASL PLAIN
POP3< USER
POP3< .
POP3> USER #######@################
POP3< +OK
POP3> PASS *
POP3< +OK User successfully logged on.
selecting or re-polling default folder
POP3> STAT
POP3< +OK 0 0
No mail for ######@###########at outlook.office365.com
POP3> QUIT
POP3< +OK Microsoft Exchange Server POP3 server signing off.
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:58 2018: poll completed
New UID list from outlook.office365.com: <empty>
not swapping UID lists, no UIDs seen this query
Query status=1 (NOMAIL)
sleeping at Sun Aug 12 14:12:58 2018 for 473 seconds
 
  


Reply

Tags
fetchmail


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Peer’s Certificate issuer is not recognized. mmm123 Linux - Security 1 11-01-2017 12:52 PM
[SOLVED] "SSL: unable to get local issuer certificate" after upgrade Filosofem Linux - Networking 1 01-08-2015 09:49 PM
[SOLVED] Problem getting gmail (local issuer certificate) with fetchmail Tim Johnson Linux - Software 4 10-07-2010 11:00 AM
fetchmail socket error and certificate verification lmcilwain Linux - Software 8 09-24-2010 05:45 AM
gftp: "Error 20:unable to get local issuer certificate" desmond33 Linux - Software 0 03-21-2007 01:07 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration