[aklug] Re: Fetchmail :: suppressing 'local issuer certificate' complaints

From: R Denison <gaijin@gci.net>
Date: Wed Oct 19 2011 - 02:51:54 AKDT

On 10/18/2011 03:24 PM, Tim Johnson wrote:
> I've been as of lately setting up email on a mac mini with Lion (OSX
> 10.7).

Just to verify I'm attempting to offer a solution to the correct problem:

   You don't want the error messages shown.

Possible solutions:

   --silent passed as a parameter to your fetchmail invocation may
suppress these messages, as you're not using the --sslcertck parameter.
  Can't hurt to try.

   Append "2>&1 > /dev/null" to the end of your fetchmail command. This
forces anything written to STDERR to be re-directed to STDOUT, and then
dumped to /dev/null. Not a great solution as it may dump other useful
messages as well.

Better solutions:

   See if it's possible to use the MacOSX CA certs instead - frankly
this doesn't sound like it will bear fruit (no pun intended), as it
looks like OSX has moved away from OpenSSL to their "Common Crypto"
libraries (1).

   Find the location openssl is searching for the CA cert files and add
the appropriate CA certs; looks like this is reasonably well documented
for a different provider here:


   THERE ARE DIFFERENCES: for example, where they used 'wget' to
download the CA Certs for their Certificate provider? Won't work here.
  You should be able to get the correct certs from the certificates
installed with a reasonably current Linux install (E.G. Ubuntu 10.10 has
links to them in /etc/ssl/certs, or you can find the cert files in

   You should be able to get the names of the certs you need by
executing this command:

   openssl s_client -connect host266.hostmonster.com:995
   Certificate chain
    0 s:/OU=Domain Control Validated/OU=PositiveSSL
    i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
   Limited/CN=PositiveSSL CA
    1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
   Limited/CN=PositiveSSL CA
    i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http:
    2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http:
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
   External CA Root

   Starting from the bottom and working up:




   Last one I had to guess at - there are several Comodo CA certs, to
verify I had the right one I ran the following command:

   openssl x509 -text -in

   Please, exercise caution in getting the certificates you need. Don't
accept them from any random jack-wagon on the Internet - installing CA
certificates from unvetted sources is an excellent way to eliminate any
security you might have gotten from using SSL in the first place.

   And when you're done, you can verify it works using this command:

   openssl s_client -verify 3 -CApath $YOUR_CERT_DIRECTORY -connect

   Look for the following code near the very bottom of the (copious) output:

     Verify return code: 0 (ok)


To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Oct 19 02:52:12 2011

This archive was generated by hypermail 2.1.8 : Wed Oct 19 2011 - 02:52:12 AKDT