[fetchmail-users] What is a "local issuer certificate"?
matthias.andree at gmx.de
Sat Jul 1 20:58:06 CEST 2006
Paul Elliott <pelliott at io.com> writes:
> I am not an expert on ssl so this does not really answer my
You need the root certificate that this...
> I got one certificate from the imap server at mail.io.com
> by doing the following:
> openssl s_client -connect mail.io.com:993 -showcerts
...certificate was signed with.
(few minutes later)
The necessary root certificate can be downloaded here:
Under Root 4, download "Download - Equifax Secure eBusiness CA-1
(Base-64 encoded X.509)" and save it to a file. Then rename the
downloaded *.cer file so it has a .pem ending (it's in PEM format, but
it needs a .pem suffix for c_rehash to recognize it) and
move it into your .ssl/certs, then run c_rehash ~/.ssl/certs.
You already have "sslcertpath /home/pelliott/.ssl/certs", so that part
is covered. After the installation of that certificate, you can remove
the sslfingerprint option.
> and the io.pem was supposed to be signed by equifax so I should
> have the certificate for equifax that signed io.pem.
Yet you don't. Equifax issued more than one certificate.
> My .fetchmailrc looks like (with password XXXXed):
> # Configuration created Mon Jun 19 10:26:45 2006 by fetchmailconf 1.52 $Revision: 4636 $
> set postmaster "pelliott"
> set bouncemail
> set no spambounce
> set properties ""
> poll mail.io.com with proto IMAP
> user 'pelliott' there with password 'XXXXXXX' is 'pelliott' here sslcertpath /home/pelliott/.ssl/certs sslfingerprint "5D:1F:EF:5B:2C:C6:72:07:D4:18:D1:D3:15:8F:4F:1B"
> I am still getting the error message.
Which means your fetchmail version is older than 6.3.4.
> My question was does "local issuer certificate" refer to?
The root certificate.
> The certificate I got from the imap server at mail.io.com or does it
> refer to a self signed certificate describing my fetchmail client?
> How do I create/get one in any case?
> The fetchmail documentation describes the --sslcert and --sslkey
> parameters and how they should point to certifications and keys.
> But this stuff is going to be used by a lot of ignorant people
> like me, it does not tell how to get and/or create such keys.
> I can't seem to figure it out.
Your ISP should have provided the necessary instructions. Please ask
them to provide instructions and the necessary root certificate.
More information about the fetchmail-users