On 10/23/10 16:06, Nathan Stratton Treadway wrote:
[snip]
As I mentioned before, I haven't had to install private copies of the
root CA certificate myself, but as far as I understand the following
should work:
* clear out the files currently in ~/.mutt/cert (you can save them
somewhere else if you like)
Done that
* Go to
https://www.geotrust.com/resources/root-certificates/index.html
and download the base-64 encoded version of the "Root 1 - Equifax
Secure Certificate Authority" certificate. Save it into a file
in your ~/.mutt/cert/ directory with the extension ".pem".
("Equifax_Secure_CA.pem" is the name used in Debian).
Done
* run "c_rehash ." within that cert directory. That should
create a symlink named 594f1775.0 pointing to the .pem file.
Though my link was named: 578d5c04.0 -> Equifax_Secure_CA.pem
At that point, your .fetchmailrc line of
poll pop.gmail.com with proto POP3 and options no dns user
'syscon...@gmail.com' password 'xxxxxxxxxxx' options ssl sslcertck sslcertpath
/home/joseph/.mutt/cert/
should work. (Note that you do need the @gmail.com part on the
username, since GMail supports 'hosted' domains as well;
'syscon...@example.com' would be a different GMail user.)
poll pop.gmail.com with proto POP3 and options no dns user 'syscon780' password
'xxxxxx' options ssl sslcertck sslcertpath '/home/joseph/.mutt/cert/'
does not work :-/ I get:
fetchmail: Server certificate verification error: unable to get local issuer
certificate
fetchmail: This means that the root signing certificate (issued for /C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA certificate
locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the
manual page.
24895:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed:s3_clnt.c:982:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from syscon...@pop.gmail.com
fetchmail: Query status=2 (SOCKET)
I'm not very familiar with Gentoo, but a quick Google search turned up
the ca-certificates ebuild:
I had this package installed, anyhow, I reinstall it clean up some old links and even pointing to this directory '/etc/ssl/certs' for certificate does not
help.
poll pop.gmail.com with proto POP3 and options no dns user 'syscon780' password
'xxxxxx' options ssl sslcertck sslcertpath '/etc/ssl/certs'
http://packages.gentoo.org/package/app-misc/ca-certificates
, which seems to be based off the Debian package of the same name. So I
suspect if you installed that ebuild you'd find that the
Equifax_Secure_CA.pem file was already installed on your system, and
that you could skip the ~/.mutt/certs/ directory and the "sslcertpath"
option in your fetchmailrc file entirely. In addition to saving the
up-front configuration effort, the big advantage of that appoach is that
fetchmail would continue to work even if GMail switched to using a
different root CA to sign its certificates.
(If that doesn't work, though, you might have more luck finding a
solution in some more Gentoo-specific forum.)
Hope that helps.
Nathan
I think I'll have to ask other Gentoo users about it.
--
Joseph