# fetchmail 6.3.6 certificate errors

## figueroa

The new fetchmail causes my mailserver to spew error messages ever time it activates (every 5 minutes per crontab) and thus emails with such as:

fetchmail: Server CommonName mismatch: whoever.com != mail.mydomain.net

fetchmail: Server certificate verification error: self signed certificate

I don't control the mail service providers certificates.  For the time being I downgraded, though portage would not let me go back to 6.3.4 because of missing keywords so I went back to 6.3.3, masked by keyword ~x86

I didn't want to do that, but for the time being it contains flood of error emails.  The only other way to contain them would have been to add 2> /dev/null to the crontab entry and I didn't want to do that either because it would surpress real errors.

Any solutions?  I'd like to supress 6.3.6's excessive compulsive error reports about certificates.

----------

## tkhobbes

Hi there

I have the same problem - did you find any solution to this?

thomas

----------

## alex260978

Citation 1:

fetchmail: Server CommonName mismatch: whoever.com != mail.mydomain.net

This means that your provider is using an SSL certificate issued for "whoever.com" instead of "mail.mydomain.net".

Infact see: http://www.howtoforge.com/forums/showthread.php?t=107

Citation 2:

fetchmail: Server certificate verification error: self signed certificate

Well the error you are getting is because the certificate verification failed.

One reason could be because the certs dir isn't set up properly or the self

signed server certificate is not readable to the fetchmail process. A third

possibility is that the server certificate has inappropriate extensions.

I looked at the document at:

http://wanderingbarque.com/howtos/mailserver/mailserver.html

it mentions how to generate a certificate but using the older CA.sh shell

script. The CA.pl perl script the is more up to date version.

I can't see any mention of creating a self signed certificate there other than

as in indirect consequence of the -newca option. The procedure there is to

generate a root CA to sign other certificates with.

If you want to just generate a self signed certificate and key you can use 

the single command:

openssl req -x509 -out sscert.pem -new -nodes -keyout sskey.pem -days 3650

I think this ok also for 6.3.3

Bye.

----------

## tkhobbes

OK, got rid of the first error. Now, I also got the .crt file from my provider... where does it have to sit?

----------

## alex260978

Ok, if you have the certificate file of your provider, then you can put under the SSL path:

For example for SMTP (Postfix):

# TLS Support

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /usr/share/ssl/hosting.example/ExamplePrivateKey.pem

smtpd_tls_cert_file = /usr/share/ssl/hosting.example/ExampleCert.pem

smtpd_tls_CAfile = /usr/share/ssl/hosting.example/demoCA/cacert.pem

I think : /usr/share/ssl/ or his subdirectory, you can try so.

For precision you can make attention to your log files, "cat syslog | grep fetchmail" (you already know)

 :Wink: 

P.S. Tell me if it work for you.

----------

## tkhobbes

Hi there

This doesn't work  :Sad: 

What happens is that fetchmail issues the following error messages:

```
fetchmail: Server certificate verification error: unable to get local issuer certificate

fetchmail: Server certificate verification error: certificate not trusted

fetchmail: Server certificate verification error: unable to verify the first certificate

```

I copied my provider's certificate to /etc/ssl/certs and issued a c_rehash. This did not help. I started fetchmail with the --ssl and the --sslcertpath /etc/ssl/certs options - no change...  :Sad: 

I don't even understand why fetchmail all of a sudden uses certificates?

----------

## alex260978

Perhaps I have explained wrong my opinion:

First, download the certificate [say, "myprovider.crt"]

Second, [the step I was missing, from 'man x509'],

  openssl x509 -in myprovider.crt -addtrust emailProtection -out uni.pem

Third, put the file myprovider.pem into a directory, say ~/.my_trusted_certs

Fourth, run

  c_rehash ~/.my_trusted_certs

Fifth, edit the .fetchmailrc to append 'sslcertpath "$HOME/.my_trusted_certs"'

to the myprovider's line.

Now it should be work without the error.

 :Smile: 

----------

## tkhobbes

OK - one step further; I now get only this error message:

```
fetchmail: Server certificate verification error: certificate not trusted

```

Any more hints?  :Smile: 

----------

## alex260978

Can you post your fetchmail log? For example:

***

fetchmail: POP3< +OK Gpop ready.

fetchmail: POP3> CAPA

fetchmail: POP3< +OK Capability list follows

fetchmail: POP3< USER

fetchmail: POP3< RESP-CODES 

***

else I can't see what's happened..

 :Rolling Eyes: 

----------

## tkhobbes

Here you go:

```
fetchmail: 6.3.6 querying pop.mail.hostpoint.ch (protocol POP3) at Wed 31 Jan 2007 08:02:44 PM CET: poll started

Trying to connect to 217.26.49.202/110...connected.

fetchmail: POP3< +OK Hello there.

fetchmail: POP3> CAPA

fetchmail: POP3< +OK Here's what I can do:

fetchmail: POP3< STLS

fetchmail: POP3< TOP

fetchmail: POP3< USER

fetchmail: POP3< LOGIN-DELAY 10

fetchmail: POP3< PIPELINING

fetchmail: POP3< UIDL

fetchmail: POP3< IMPLEMENTATION Courier Mail Server

fetchmail: POP3< .

fetchmail: POP3> STLS

fetchmail: POP3< +OK Begin SSL/TLS negotiation now.

fetchmail: Server certificate verification error: certificate not trusted

fetchmail: Issuer Organization: Hostpoint GmbH

fetchmail: Issuer CommonName: hostpoint.ch

fetchmail: Server CommonName: *.mail.hostpoint.ch

fetchmail: pop.mail.hostpoint.ch key fingerprint: 2F:B6:9A:05:90:32:9B:D0:BA:D5:30:5C:10:F9:42:EE

fetchmail: POP3> CAPA

fetchmail: POP3< +OK Here's what I can do:

fetchmail: POP3< TOP

fetchmail: POP3< USER

fetchmail: POP3< LOGIN-DELAY 10

fetchmail: POP3< PIPELINING

fetchmail: POP3< UIDL

fetchmail: POP3< IMPLEMENTATION Courier Mail Server

fetchmail: POP3< .

fetchmail: pop.mail.hostpoint.ch: upgrade to TLS succeeded.

fetchmail: POP3> USER username

fetchmail: POP3< +OK Password required.

fetchmail: POP3> PASS *

fetchmail: POP3< +OK logged in.

fetchmail: POP3> STAT

fetchmail: POP3< +OK 0 0

fetchmail: No mail for mymail@mydomain.ch at pop.mail.hostpoint.ch

fetchmail: POP3> QUIT

fetchmail: POP3< +OK Bye-bye.

fetchmail: 6.3.6 querying pop.mail.hostpoint.ch (protocol POP3) at Wed 31 Jan 2007 08:02:45 PM CET: poll completed

fetchmail: normal termination, status 1

```

thomas

----------

## alex260978

Hi, probably your provider only added POP support for a limited number of users, or your certificate is not updated.

There isn't particularly error in your log file, fetchmail seems flush correctly mail messages.

 :Surprised: 

----------

## ticho

 *tkhobbes wrote:*   

> I don't even understand why fetchmail all of a sudden uses certificates?

 

I remember seeing these warnings in old 6.2.x fetchmail as well, as far back as I have been using it with pop3/ssl.

----------

## tkhobbes

Well - I managed to walk around the problem with the sslfingerprint option. However, it still seems somehow odd to me that I could not install the certificate...

----------

