[Eisfair] fetchmail mit ssl

[Steffen Gumpert]

Am 31.12.2013, 16:35 Uhr, schrieb Holger Bruenjes <holgerbruenjes at gmx.net>:

Hallo Holger,

die revocation list wurde erfolgreich aktualisiert.
> /etc/init.d/mail -debug restart fetchmail
liefert mehr output, läuft aber auf dasselbe Resultat hinaus:

fetchmail: 6.3.26 querying pop.gmx.net (protocol POP3) at Tue, 31 Dec 2013  
17:24:29 +0100 (CET): poll started
fetchmail: Trying to connect to 212.227.17.169/995...connected.
fetchmail: Certificate chain, from root to peer, starting at depth 3:
fetchmail: Issuer Organization: Thawte Consulting cc
fetchmail: Issuer CommonName: Thawte Premium Server CA
fetchmail: Subject CommonName: Thawte Premium Server CA
fetchmail: Server certificate verification error: self signed certificate  
in certificate chain
fetchmail: Missing trust anchor certificate: /C=ZA/ST=Western Cape/L=Cape  
Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte  
Premium Server CA/emailAddress=premium-server at thawte.com
fetchmail: This could mean that the root CA's signing certificate is not  
in the trusted CA certificate location, or that c_rehash needs to be run  
on the certificate directory. For details, please see the documentation of  
--sslcertpath and --sslcertfile in the manual page.
fetchmail: OpenSSL reported: error:14090086:SSL  
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from xyz at pop.gmx.net
fetchmail: 6.3.26 querying pop.gmx.net (protocol POP3) at Tue, 31 Dec 2013  
17:24:29 +0100 (CET): poll completed
fetchmail: Merged UID list from pop.gmx.net: <empty>
fetchmail: Query status=2 (SOCKET)

fetchmail: 6.3.26 querying pop.1und1.com (protocol POP3) at Tue, 31 Dec  
2013 17:24:28 +0100 (CET): poll started
fetchmail: awakened at Tue, 31 Dec 2014 17:24:28 (CET)
fetchmail: Trying to connect to 212.227.15.161/995...connected.
fetchmail: Certificate chain, from root to peer, starting at depth 2:
fetchmail: Issuer Organization: Thawte Consulting cc
fetchmail: Issuer CommonName: Thawte Premium Server CA
fetchmail: Subject CommonName: thawte Primary Root CA
fetchmail: Server certificate verification error: unable to get local  
issuer certificate
fetchmail: Broken certification chain at: /C=ZA/ST=Western Cape/L=Cape  
Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte  
Premium Server CA/emailAddress=premium-server at thawte.com
fetchmail: This could mean that the server did not provide the  
intermediate CA's certificate(s), which is nothing fetchmail could do  
anything about.  For details, please see the README.SSL-SERVER document  
that ships with fetchmail.
fetchmail: This could mean that the root CA's signing certificate is not  
in the trusted CA certificate location, or that c_rehash needs to be run  
on the certificate directory. For details, please see the documentation of  
--sslcertpath and --sslcertfile in the manual page.
fetchmail: OpenSSL reported: error:14090086:SSL  
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from xyz at pop.1und1.com
fetchmail: 6.3.26 querying pop.1und1.com (protocol POP3) at Tue, 31 Dec  
2013 17:24:28 +0100 (CET): poll completed
fetchmail: Merged UID list from pop.1und1.com: <empty>
fetchmail: Query status=2 (SOCKET)

Warum wird bei GMX ein self signed certificate bemängelt obwohl es bei  
anderen läuft?
Bei 1und1 scheint fetchmail ein Zertifikat zu überspringen, obwohl die  
chain lokal korrekt angezeigt wird ->
"starting at depth 2".

Gruss, Steffen.