Hi all;
fetchmail has started complaining, again.
googling for the error suggests several things, none of which has been helpful. I suspect the root cert for google has expired on my machine, but no more verbosity that I seem to be able to coax out of it, that is at best a SWAG.
c_rehash as suggested by the error message failed until I did a mkdir /usr/lib/ssl and copied the /etc/pki/tls/openssl.cnf to /usr/lib/ssl/openssl.cnf, but that now makes 5 copies of openssl.cnf on the system, and the scattering of certs and root-certs all over the system, almost like somebody was playing 52 pickup gets confusing.
Asking certutil to spit out a list comes back empty for both me, and root! As in:
[root@coyote tls]# certutil -d sql:$HOME/.pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
And:
[gene@coyote ~]$ certutil -d sql:$HOME/.pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
It seems to me that certutil should provide a means to query the server, I think gmail in this case, obtain a copy of that servers root cert and install it in my database, wherever the real database is, but there are no man or info pages for it, and --help doesn't spit out anything that is all that obvious to me.
The fetchmail mewling looks like this:
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: This means that the root signing certificate (issued for /C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
And then proceeds to pull the mail anyway.
The fix is?
Thanks folks.
Cheers, Gene
