Re: fetchmail - google certificate

[Joseph]

On 10/22/10 23:21, Joseph wrote:
I'm using fetchmail to pull mail from google but lately I've been getting this 
error:
fetchmail: Server certificate verification error: unable to get local issuer 
certificate
fetchmail: This means that the root signing certificate (issued for 
/C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA 
certificate
locations, or that c_rehash needs to be run on the certificate directory. For 
details, please see the documentation of --sslcertpath and --sslcertfile in the
manual page.
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Warning: the connection is insecure, continuing anyways. (Better use 
--sslcertck!)

I've tried to set option "sslcertck" in fetchmailrc
poll pop.gmail.com with proto POP3 and options no dns user 
'syscon...@gmail.com' password 'xxxxxxxxxxx' options ssl sslcertck

but it gives me an error.
How to use this option?

--
Joseph

I used this command to obtain the certificates:
openssl s_client -connect pop.gmail.com:995 -showcerts

So I assumed the top certificate is Google
the bottom one is Equifax
Can anybody verify it? Someone suggested that the bottom one is not Equifax 
certificate.

---------copy-----------------
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKFNMahgADAAASkDANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMDA0MjIyMDExMjNaFw0xMTA0MjIyMDIxMjNa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC701lFBdiiC0BB
JEo2U1wmmS6Gv+qr4bjG6xeCSgb0UGI2vN1ifYyrf/wj1jBLupou+Ds+s0zLzE5Y
vsADQvu+pkDXoOcnK2YxiOiuZaGOSRKC2b0rbg4oYyS1TogEBcX+KpUxWQNpccW6
FPzpSVtmiG4azMUIR0mM2HERnwke/wIDAQABo4IBLDCCASgwHQYDVR0OBBYEFJr4
/CBophXvQNM/AFWw8zu5EXKiMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQDETrSXXdPv8yvPZ5cR8yupyXlHzUvA5rNVFzOmBE/QCrNx
wLHDMP36+axPMWp+uraNfsc798zHES0GDgz+P97KItu8T75ysvjUUpWKeeuHcYHh
QSGi5iYB7XxEB9oCnSC9tpq8el2/mWFvVJSO69bO+zDOqgFPJ/GZYIxWgglMqA==
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIICsDCCAhmgAwIBAgIDC2dxMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNjA4MjA0MzI3WhcNMTMwNjA3MTk0MzI3
WjBGMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZ
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAye23pIucV+eEPkB9hPSP0XFjU5nneXQUr0SZMyCSjXvlKAy6rWxJfoNf
NFlOCnowzdDXxFdF7dWq1nMmzq0yE7jXDx07393cCDaob1FEm8rWIFJztyaHNWrb
qeXUWaUr/GcZOfqTGBhs3t0lig4zFEfC7wFQeeT9adGnwKziV28CAwEAAaOBozCB
oDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFL/AMOv1QxE+Z7qekfv8atrjaxIk
MB8GA1UdIwQYMBaAFEjmaPkr0rKV10fYIyAQTzOYkJ/UMBIGA1UdEwEB/wQIMAYB
Af8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHde
BZqrocb6ghwYB8TrgbCoZutJqOkM0ymt9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN
0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fniisIWvXEyZ2VxVKfml
UUIuOss4jHg7y/j7lYe8vJD5UDI=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1845 bytes and written 393 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: D2227C802AE50894125E4D2BE3295D40025ABFA985C502640AF686D280B63666
    Session-ID-ctx:
    Master-Key: 
54B347573E88624564E4ECBD278DE5F6A8DE99568C328047C3A5D7378B011384FE270752012731B00018C455FD73AF25
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 59 91 3e e9 f6 d3 78 f8-0a 17 37 d5 aa c7 2c 29   Y.>...x...7...,)
    0010 - f1 5c f5 12 bc 70 38 30-eb d9 af 71 6e b9 cd 3b   .\...p80...qn..;
    0020 - 07 11 3a ab f8 7c 07 99-19 63 81 b7 b5 08 01 09   ..:..|...c......
    0030 - 0c c2 53 c5 57 c5 b9 36-57 29 6e f7 6c df 79 6e   ..S.W..6W)n.l.yn
    0040 - 09 8d 61 51 c9 34 d1 e8-75 78 22 c2 52 55 a0 5b   ..aQ.4..ux".RU.[
    0050 - d5 e4 77 ba c5 45 33 1c-0f ea 54 84 80 93 ba 38   ..w..E3...T....8
    0060 - 8b 90 27 01 f0 59 05 16-7b a0 c6 80 ef ba e5 90   ..'..Y..{.......
    0070 - 54 ca b7 bd 43 49 bb 09-27 f6 ef cc 35 ca 7b f5   T...CI..'...5.{.
    0080 - 47 44 17 86 5a 66 97 b9-17 bb e0 81 b9 e3 8f 25   GD..Zf.........%
    0090 - bf d7 bd 9f                                       ....

    Start Time: 1287859532
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 68.148.245.78 f8pf20461688ibu.31

-ERR bad command f8pf20461688ibu.31
read:errno=0
-----------end copy--------------- 

--
Joseph