Fetchmail and Server certificate verification error: unable to get local issuer certificate

Mr486 · 08-12-2018, 07:15 AM

ok, this familiar question, not sure what I am missing to still get the local issuer certificate as when I ran the check with openssl I got success. I was under the impression all I needed was the Global CA certificate (the openssl shows that it is all valid and acceptable)

Thanks!

running fetchmail with:

Code:

    fetchmail -v -v -d 473 --syslog --nobounce --sslcertpath /home/bloggs/certs -f /home/bloggs/fetchmailrc

/home/bloggs/fetchmailrc contains

Code:

poll outlook.office365.com localdomains ######## protocol pop3 port 995: envelope X-Envelope-To 
user #####@######## password ####### to * fetchall options ssl

/home/bloggs/certs contains

Code:

    lrwxrwxrwx   1           10 Aug  8 12:57 3513523f.0 -> CAROOT.pem
    -rw-------   1          1338 Aug  8 08:51 CAROOT.pem

With openssl:

Code:

    /usr/local/ssl/bin/openssl s_client -CApath /home/bloggs/certs -connect outlook.office365.com:995

outputs this:

Code:

    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
    verify return:1
    depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
       i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
     1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    ...snip...
    etc, etc, etc
    ...snip...  
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1533743966
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
    ---

However, Fetchmail writes this to the mail log

Code:

starting fetchmail 6.3.26 daemon
Server certificate verification error: self signed certificate in certificate chain
Missing trust anchor certificate: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
Server certificate verification error: self signed certificate in certificate chain
Missing trust anchor certificate: /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.

Mr486 · 08-12-2018, 07:18 AM

Empty post

Mr486 · 08-12-2018, 08:20 AM

I believe the problem was that fetchmail had been built against a differnt set of SSL library to the one I ran the openssl test with. I have rebuilt fetchmail against that same library 1.0.2n and everything works as expected:

Code:

Old UID list from outlook.office365.com: <empty>
Scratch list of UIDs: <empty>
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:56 2018: poll started
Trying to connect to 36.165.28.8/995...connected.
Certificate chain, from root to peer, starting at depth 2:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Global Root CA
Certificate at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Cloud Services CA-1
Subject CommonName: outlook.com
Subject Alternative Name: *.clo.footprintdns.com
Subject Alternative Name: *.nrb.footprintdns.com
Subject Alternative Name: *.hotmail.com
Subject Alternative Name: *.internal.outlook.com
Subject Alternative Name: *.live.com
Subject Alternative Name: *.office.com
Subject Alternative Name: *.office365.com
Subject Alternative Name: *.outlook.com
Subject Alternative Name: *.outlook.office365.com
Subject Alternative Name: attachment.outlook.live.net
Subject Alternative Name: attachment.outlook.office.net
Subject Alternative Name: attachment.outlook.officeppe.net
Subject Alternative Name: ccs.login.microsoftonline.com
Subject Alternative Name: ccs-sdf.login.microsoftonline.com
Subject Alternative Name: hotmail.com
Subject Alternative Name: mail.services.live.com
Subject Alternative Name: office365.com
Subject Alternative Name: outlook.com
Subject Alternative Name: outlook.office.com
Subject Alternative Name: substrate.office.com
Subject Alternative Name: substrate-sdf.office.com
outlook.office365.com key fingerprint: ###################################################
POP3< +OK The Microsoft Exchange POP3 service is ready. [###########################################################]
POP3> CAPA
POP3< +OK
POP3< TOP
POP3< UIDL
POP3< SASL PLAIN
POP3< USER
POP3< .
POP3> USER #######@################
POP3< +OK
POP3> PASS *
POP3< +OK User successfully logged on.
selecting or re-polling default folder
POP3> STAT
POP3< +OK 0 0
No mail for ######@###########at outlook.office365.com
POP3> QUIT
POP3< +OK Microsoft Exchange Server POP3 server signing off.
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:58 2018: poll completed
New UID list from outlook.office365.com: <empty>
not swapping UID lists, no UIDs seen this query
Query status=1 (NOMAIL)
sleeping at Sun Aug 12 14:12:58 2018 for 473 seconds