[fetchmail-users] What is a "local issuer certificate"?

Matthias Andree matthias.andree at gmx.de
Sat Jul 1 20:58:06 CEST 2006 

Paul Elliott <pelliott at io.com> writes:

> I am not an expert on ssl so this does not really answer my
> question.

You need the root certificate that this...

>
> I got one certificate from the imap server at mail.io.com
> by doing the following:
>
> openssl s_client -connect mail.io.com:993 -showcerts

...certificate was signed with.

(few minutes later)

The necessary root certificate can be downloaded here:
<http://www.geotrust.com/resources/root_certificates/index.asp>

Under Root 4, download "Download - Equifax Secure eBusiness CA-1
(Base-64 encoded X.509)" and save it to a file. Then rename the
downloaded *.cer file so it has a .pem ending (it's in PEM format, but
it needs a .pem suffix for c_rehash to recognize it) and
move it into your .ssl/certs, then run c_rehash ~/.ssl/certs.

You already have "sslcertpath /home/pelliott/.ssl/certs", so that part
is covered. After the installation of that certificate, you can remove
the sslfingerprint option.

> and the io.pem was supposed to be signed by equifax so I should
> have the certificate for equifax that signed io.pem.

Yet you don't. Equifax issued more than one certificate.

> My .fetchmailrc looks like (with password XXXXed):
>
> # Configuration created Mon Jun 19 10:26:45 2006 by fetchmailconf 1.52 $Revision: 4636 $
> set postmaster "pelliott"
> set bouncemail
> set no spambounce
> set properties ""
> poll mail.io.com with proto IMAP
>        user 'pelliott' there with password 'XXXXXXX' is 'pelliott' here sslcertpath /home/pelliott/.ssl/certs sslfingerprint "5D:1F:EF:5B:2C:C6:72:07:D4:18:D1:D3:15:8F:4F:1B"
> #sslcertck
>
> I am still getting the error message.

Which means your fetchmail version is older than 6.3.4.
Please update.

> My question was does "local issuer certificate" refer to?

The root certificate.

> The certificate I got from the imap server at mail.io.com or does it
> refer to a self signed certificate describing my fetchmail client?

Neither.

> How do I create/get one in any case?

See above.

> The fetchmail documentation describes the --sslcert and --sslkey
> parameters and how they should point to certifications and keys.

No.

> But this stuff is going to be used by a lot of ignorant people
> like me, it does not tell how to get and/or create such keys.
> I can't seem to figure it out.

Your ISP should have provided the necessary instructions. Please ask
them to provide instructions and the necessary root certificate.

-- 
Matthias Andree

More information about the fetchmail-users mailing list