Certificate error

Jon Radel jon at radel.com
Mon May 11 19:40:45 UTC 2015 

On 5/11/15 11:01 AM, Ernie Luzar wrote:
>
>>>
>>>
>>> fetchmail: Server certificate verification error: self signed 
>>> certificate
>>> fetchmail: Missing trust anchor certificate:
>>>
>>>
>> As a result, I'm kind of confused as to why fetchmail is complaining 
>> about a missing trust anchor for a self-signed certificate.  But that 
>> does lead to the question:  Did you install the CA certificate, 
>> CA.cert, where fetchmail will use it for verifying certificates? You 
>> should also realize that if you want to use your own CA, you're much 
>> better off not creating a new one willy-nilly, as you need to install 
>> the CA cert for every client which you want to actually verify the 
>> certificates signed by that CA.  See 
>> http://lists.ccil.org/pipermail/fetchmail-friends/2006-April/010051.html 
>> for more.
> Fetchmail is being used as a diagnostic tool. Fetchmail will follow 
> how a pop3 server is configured and in my case I am trying to test my 
> pop3 qpopper server for TLS. From the original post posted fetchmail 
> log you see that the pop3 server is offering STLS. This is what I am 
> expecting. Then the log shows the certs are missing a anchor point. 
Hence my question as to whether you installed the CA.cert for 
fetchmail.  Which you appear to have not answered.  Nor do you seem to 
have read the reference on the fetchmail mailing list that addresses how 
to either make fetchmail less picky about certificates or install the CA 
root certificate.
> The posted cert build script is not some thing I pulled out of the air 
> or something I make up as a guess. 
Never said you were.  I did point out that you were showing commands to 
sign a certificate with your own CA in an e-mail where you were 
complaining about being unable to get a self-signed certificate to 
work.  If you're mixing and matching bits and pieces of different 
experiments in the same question, this rapidly becomes even more of a 
futile exercise than it already is.
> I have a few different  combinations of openssl command sequences form 
> different articles I read on the internet and all of them get the same 
> error. I just point qpopper to use the key & cert files made 
> separately by openssl commands. 
Yeah, but the last little bit of logging doesn't have qpopper the least 
bit upset so far as I can tell; it's got fetchmail upset. What does 
fetchmail have installed?
> What sequence of openssl commands do you suggest I use?
>
Alas, alack, I find it hard to care; either type of certificate can be 
made to work with differing tradeoffs. Personally I simply use 
https://www.cacert.org when I need a free certificate in a place where I 
control the clients.  But if you go that route, YOU STILL NEED TO 
INSTALL THE CA'S ROOT CERTIFICATES FOR FETCHMAIL!  I would suggest you 
search for a tutorial on how TLS works that you're comfortable with and 
study it with care.

In any case, this:

> fetchmail: POP3< STLS
> fetchmail: POP3< .
> fetchmail: POP3> STLS
> fetchmail: POP3< +OK STLS
> fetchmail: Server certificate:
> fetchmail: Issuer Organization: Powerman
> fetchmail: Issuer CommonName: pop.powerman.com
> fetchmail: Subject CommonName: pop.powerman.com
> fetchmail: pop.a1poweruser.com key fingerprint: 
> 51:EC:3E:14:EA:E0:A9:97:1F:9F:D9:30:35:72:44:EA
>
> fetchmail: Server certificate verification error: self signed certificate
> fetchmail: Missing trust anchor certificate:

makes me think you may have a certificate installed just fine on qpopper 
and are simply ignoring that the default behavior of fetchmail is to be 
very picky about certificates.  In other words, you may be abusing your 
diagnostic tool something terrible, and results with your actual 
client(s) may be completely different, depending on how they feel about 
using TLS for verification as opposed to for *only* encryption.

Read http://www.fetchmail.info/fetchmail-FAQ.html#K5 for more.

--Jon Radel
jon at radel.com


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3870 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150511/6f567d8b/attachment.bin>

More information about the freebsd-questions mailing list