fetchmail certificate verification messages

Dan Nelson dnelson at allantgroup.com
Tue Jul 6 05:37:41 UTC 2010

In the last episode (Jul 05), Giorgos Keramidas said:
> On Sat, 3 Jul 2010 23:36:58 +0200 (CEST), Marco Beishuizen <mbeis at xs4all.nl> wrote:
> > I'm seeing in my logfiles a lot of messages like these from fetchmail:
> >
> > Jul  3 22:02:54 yokozuna fetchmail[1437]: Server certificate
> >   verification error: self signed certificate in certificate chain
> > Jul  3 22:02:54 yokozuna fetchmail[1437]: This means that the root
> >   signing certificate (issued for /C=SE/O=AddTrust AB/OU=AddTrust External
> >   TTP Network/CN=AddTrust External CA Root) is not in the trusted CA
> >   certificate locations, or that c_rehash needs to be run on the
> >   certificate directory. For details, please see the documentation of
> >   sslcertpath and sslcertfile in the manual page.
> >
> > Does anyone know what these messages mean and if they are harmless or
> > not?
> This means that the certificate of CN="AddTrust External CA Root" is
> signed by itself.  It's a common thing when the administrator of the
> respective SSL-enabled host has not bought a certificate from one of the
> global CA authorities, but has signed the certificate with itself to avoid
> the costs & process associated with maintaining a "normal" certificate.

CA Roots are also self-signed, btw :)  Addtrust is a valid CA Root, and is
the root for some certificates signed by Network Solutions and Comodo (and
probably others).  Marco, the fetchmail manpage mentions a --sslcertfile
option; try adding "--sslcertfile /etc/ssl/cert.pem" to force fetchmail to
use the ca_root_nss file you installed previously.  IMHO openssl should
automatically consult that file, but apparently it doesn't.

	Dan Nelson
	dnelson at allantgroup.com

More information about the freebsd-questions mailing list